Ech0 is an open-source self-hosted publishing platform that implements link preview functionality by fetching page titles via an unauthenticated API endpoint. Prior to version 4.2.8, the GET /api/website/title endpoint accepts fully attacker-controlled URLs and performs server-side HTTP GET requests without restrictions or validation. The server reads the entire response body into memory and uses an HTTP client with TLS verification disabled (InsecureSkipVerify: true). There is no host allowlist or SSRF filter, allowing an attacker with network access to the Ech0 instance to induce the server to make arbitrary HTTP/HTTPS requests from its network environment, such as Docker bridge, VPC, or localhost. This SSRF vulnerability is addressed in version 4.2.8.

An attacker who can access the vulnerable Ech0 instance can cause the server to make arbitrary HTTP/HTTPS requests from its network position. This can potentially be used to access internal resources not otherwise reachable by the attacker, leading to information disclosure or further network reconnaissance. The CVSS 3.1 base score is 7.5 (High), reflecting the network attack vector, no required privileges or user interaction, and high confidentiality impact. There is no indication of integrity or availability impact. No known exploits in the wild have been reported.

This vulnerability is fixed in Ech0 version 4.2.8. Users should upgrade to version 4.2.8 or later to remediate this SSRF issue. Since the vendor advisory or patch links are not provided, confirm upgrade availability from the official lin-snow Ech0 project sources. Until upgraded, restrict network access to the Ech0 instance to trusted users only to reduce exposure. Patch status is not explicitly confirmed beyond the stated fix in 4.2.8; verify with vendor sources for official patches or updates.