{"uuid": "c8de7969-5cec-41a7-82da-720218a63363", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-fpw6-hrg5-q5x5", "type": "seen", "source": "https://gist.github.com/alon710/0cdc02556b5fc971b210e0b65ed6b385", "content": "# GHSA-FPW6-HRG5-Q5X5: GHSA-FPW6-HRG5-Q5X5: Irrevocable Access Tokens and Nil-Pointer Dereference in Ech0\n\n> **CVSS Score:** 7.4\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/GHSA-FPW6-HRG5-Q5X5\n\n## Summary\nEch0 access tokens created with the 'never expire' option generate JSON Web Tokens (JWT) missing the 'exp' claim. This structural omission causes a nil-pointer dereference during logout and prevents the JTI blacklisting mechanism from functioning. Consequently, leaked access tokens cannot be revoked by administrators.\n\n## TL;DR\nA missing expiration claim in Ech0's 'never expire' JWTs causes panics and silently breaks token revocation, allowing attackers to maintain perpetual access with stolen tokens.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-613, CWE-476, CWE-300\n- **Attack Vector**: Network\n- **CVSS Score**: 7.4\n- **Impact**: Persistent Authorization Bypass\n- **Exploit Status**: Proof of Concept\n- **Component**: JWT Handler & Authentication Repository\n\n## Affected Systems\n\n- Ech0 (all versions prior to commit eab62379)\n- **Ech0**: < 1.4.8 (Fixed in: `1.4.8`)\n\n## Mitigation\n\n- Update Ech0 to version 1.4.8 or later\n- Rotate the global JWT_SECRET in application configuration to invalidate all currently circulating tokens\n- Audit database records for legacy tokens with missing expiration configuration\n\n**Remediation Steps:**\n1. Pull the latest Ech0 release (v1.4.8) from the official repository.\n2. Restart the Ech0 application service to apply the updated binary.\n3. Identify all access tokens currently configured with 'never expire' via the administrative interface.\n4. Delete and recreate these specific tokens to ensure they utilize the new 100-year fallback logic.\n5. If active exploitation is suspected, rotate the JWT_SECRET environment variable immediately.\n\n## References\n\n- [GitHub Advisory Database](https://github.com/advisories/GHSA-fpw6-hrg5-q5x5)\n- [OSV Data Record](https://osv.dev/vulnerability/GHSA-fpw6-hrg5-q5x5)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-FPW6-HRG5-Q5X5) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-08T06:40:29.000000Z"}