CVE-2026-25766 is a path traversal vulnerability in the Echo web framework, specifically in versions 5.0.0 through 5.0.2 running on Windows. Echo’s middleware.Static component serves static files and uses Go’s path.Clean function to normalize requested paths. However, path.Clean operates with URL path semantics and does not recognize backslashes ('\\') as path separators, leaving sequences like '..\\' unaltered after cleaning. When the filesystem is set to default (nil), Echo uses defaultFS which calls os.Open to access files. On Windows, os.Open treats backslashes as path separators and resolves '..\\' sequences, allowing traversal outside the static root directory. This discrepancy between path normalization and filesystem interpretation enables an attacker to craft URLs with backslash-based traversal sequences to read arbitrary files on the server without authentication. The vulnerability affects only Windows deployments due to the backslash path separator behavior. The issue was addressed in Echo version 5.0.3 by correcting the path normalization or filesystem handling to prevent traversal. No known exploits are reported in the wild as of publication. The CVSS v3.1 base score is 5.3 (medium), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited impact to confidentiality only.

This vulnerability allows unauthenticated remote attackers to read arbitrary files outside the intended static directory on Windows servers running vulnerable Echo versions. The confidentiality of sensitive files such as configuration files, source code, credentials, or other private data may be compromised. Although the vulnerability does not affect data integrity or availability, unauthorized file disclosure can lead to further attacks, including information leakage, reconnaissance, or exploitation of other vulnerabilities. Organizations using Echo on Windows for web applications that serve static content are at risk, especially if sensitive files are accessible or improperly segregated. The impact is limited to Windows environments due to the path separator behavior. Since no authentication or user interaction is required, exploitation can be automated and performed remotely over the network, increasing risk. However, the medium CVSS score reflects that the attack complexity is low but the impact is limited to confidentiality.

1. Upgrade Echo to version 5.0.3 or later, where this vulnerability is fixed. 2. If immediate upgrade is not possible, implement strict input validation and sanitization on all static file requests to reject any paths containing backslashes or traversal sequences such as '..\\' or '..//'. 3. Configure the web server or reverse proxy to restrict access to sensitive directories and files outside the static root. 4. Use a custom filesystem implementation or middleware that properly normalizes paths considering Windows path separators before file access. 5. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with rules to detect and block path traversal attempts involving backslashes. 6. Conduct thorough security reviews of static file serving configurations and ensure sensitive files are not stored within or accessible from the static root directory. 7. Monitor logs for suspicious requests containing traversal patterns and respond promptly to potential exploitation attempts.