{"uuid": "e0f326ee-ae0b-4c97-ae50-99edb9571153", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-P64J-F4X9-WQ66", "type": "seen", "source": "https://gist.github.com/alon710/74b6abbcb632e245c7e0a9a5201c4015", "content": "# GHSA-P64J-F4X9-WQ66: GHSA-P64J-F4X9-WQ66: OAuth Redirect URI Path Truncation in Ech0 Leads to Authorization Code Theft\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-05-07\n> **Full Report:** https://cvereports.com/reports/GHSA-P64J-F4X9-WQ66\n\n## Summary\nThe Ech0 lightweight publishing platform contains a critical vulnerability in its OAuth 2.0 implementation where redirect URI validation ignores the path component. This oversight permits attackers to route authenticated victims to malicious endpoints on trusted domains, resulting in the theft of authorization codes and subsequent account takeover.\n\n## TL;DR\nImproper validation of OAuth redirect URIs in Ech0 allows attackers to append malicious paths to trusted domains. Exploitation leads to the theft of authorization exchange codes and full account takeover.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-601\n- **Attack Vector**: Network\n- **CVSS Score**: 8.1 (High)\n- **Impact**: Account Takeover via Code Theft\n- **Exploit Status**: Proof of Concept\n- **Authentication Required**: None\n\n## Affected Systems\n\n- Ech0 open-source publishing platform\n- **Ech0**: < a7e8b8e84bd1e3db090dfb720f2c6c433356b442 (Fixed in: `a7e8b8e84bd1e3db090dfb720f2c6c433356b442`)\n\n## Mitigation\n\n- Update application codebase to a version containing the patch commit a7e8b8e84bd1e3db090dfb720f2c6c433356b442.\n- Audit the Auth.Redirect.AllowedReturnURLs configuration to limit whitelisted domains.\n- Implement strict Web Application Firewall (WAF) rules to validate OAuth redirect URI structures.\n- Monitor application logs for anomalous OAuth callback endpoints and open redirect patterns.\n\n**Remediation Steps:**\n1. Identify the current running version of the Ech0 deployment.\n2. Pull the latest updates from the official Ech0 repository, ensuring commit a7e8b8e84bd1e3db090dfb720f2c6c433356b442 is included.\n3. Review the application configuration file and explicitly define the full callback URLs rather than relying on domain-level trust.\n4. Restart the Ech0 application service to apply the updated binary and configuration.\n5. Execute functional tests against the /login and /bind endpoints to confirm malicious paths are rejected.\n\n## References\n\n- [GitHub Security Advisory: GHSA-P64J-F4X9-WQ66](https://github.com/advisories/GHSA-P64J-F4X9-WQ66)\n- [Ech0 Patch Commit a7e8b8e84bd](https://github.com/lin-snow/Ech0/commit/a7e8b8e84bd1e3db090dfb720f2c6c433356b442)\n- [Ech0 GitHub Repository](https://github.com/lin-snow/Ech0)\n- [RFC 6749 Section 3.1.2](https://datatracker.ietf.org/doc/html/rfc6749#section-3.1.2)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-P64J-F4X9-WQ66) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-07T21:40:28.000000Z"}