{"uuid": "e70842ce-f6b7-4a96-b112-9641418dc4fb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-32149", "type": "seen", "source": "https://gist.github.com/alon710/c304e0355d4b523094aabb49f860b83c", "content": "# GHSA-MQXV-9RM6-W8QC: GHSA-MQXV-9RM6-W8QC: CPU Exhaustion in Ech0 i18n Middleware via Accept-Language Header Parser Bypass\n\n&gt; **CVSS Score:** 8.7\n&gt; **Published:** 2026-07-14\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-MQXV-9RM6-W8QC\n\n## Summary\nA critical Denial of Service (DoS) vulnerability in the Ech0 publishing platform allows unauthenticated remote attackers to exhaust CPU resources via a crafted Accept-Language header. By utilizing underscore separators instead of hyphens, the attack bypasses the CVE-2022-32149 guard within the Go language tag parser, triggering a quadratic-time complexity operation.\n\n## TL;DR\nUnauthenticated remote attackers can exhaust server CPU resources by sending a crafted 1 MiB Accept-Language header using underscores, bypassing CVE-2022-32149.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-770\n- **Attack Vector**: Network\n- **CVSS**: 8.7 (High)\n- **Complexity**: Low\n- **Impact**: Denial of Service (CPU Exhaustion)\n- **Exploit Status**: Proof-of-Concept Available\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Ech0 publishing platform (github.com/lin-snow/ech0)\n- **github.com/lin-snow/ech0**: &lt; 5.0.1 (Fixed in: `5.0.1`)\n\n## Mitigation\n\n- Upgrade to Ech0 version 5.0.1 or higher.\n- Implement validation on the incoming Accept-Language header to limit length and the count of separators before parsing.\n- Configure front-end reverse proxies or WAFs to restrict HTTP header lengths.\n\n**Remediation Steps:**\n1. Verify your current version of github.com/lin-snow/ech0 is below 5.0.1.\n2. Modify your go.mod file to require github.com/lin-snow/ech0 v5.0.1 or apply the defensive middleware patch directly in internal/i18n/i18n.go.\n3. Recompile and deploy the updated binary to your production environments.\n\n## References\n\n- [GitHub Security Advisory GHSA-MQXV-9RM6-W8QC](https://github.com/advisories/GHSA-MQXV-9RM6-W8QC)\n- [Ech0 Repository Homepage](https://github.com/lin-snow/Ech0)\n- [Vulnerable Middleware File](https://github.com/lin-snow/Ech0/blob/451c7c10eb1f23f7525c163e83f8b39f46d5aad0/internal/i18n/i18n.go)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-MQXV-9RM6-W8QC) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-14T22:13:10.209508Z"}