CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-MQXV-9RM6-W8QC

GHSA-MQXV-9RM6-W8QC: CPU Exhaustion in Ech0 i18n Middleware via Accept-Language Header Parser Bypass

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 14, 2026·5 min read·3 visits

Executive Summary (TL;DR)

Unauthenticated remote attackers can exhaust server CPU resources by sending a crafted 1 MiB Accept-Language header using underscores, bypassing CVE-2022-32149.

A critical Denial of Service (DoS) vulnerability in the Ech0 publishing platform allows unauthenticated remote attackers to exhaust CPU resources via a crafted Accept-Language header. By utilizing underscore separators instead of hyphens, the attack bypasses the CVE-2022-32149 guard within the Go language tag parser, triggering a quadratic-time complexity operation.

Vulnerability Overview

The publishing platform Ech0 incorporates an internationalization (i18n) middleware component designed to localise application content for incoming HTTP clients. This middleware processes every unauthenticated HTTP request arriving at public endpoints such as the landing page and public API feeds. The middleware automatically extracts the client-supplied Accept-Language HTTP header and forwards its contents to the underlying language parser library.

Because the middleware processes this header prior to authentication and without string length enforcement, it exposes a direct network attack surface. The parsing library x/text/language evaluates the raw input value to match the closest supported language tag. Consequently, any malicious payload injected into this header is parsed using server CPU resources before the request routing is resolved.

This architecture creates a critical path for denial-of-service vectors. An unauthenticated remote attacker can easily exploit this flow by sending requests containing structured, malformed language tags. The lack of proactive input filtering in the middleware allows attackers to force the underlying parsing engine to execute high-complexity computation loops.

Root Cause Analysis

The root cause of this vulnerability lies in a bypass of the security mitigation implemented for CVE-2022-32149 within the golang.org/x/text language tag parser. The original mitigation restricted processing of inputs containing more than 1,000 hyphen characters. This check was designed to prevent a quadratic-time complexity loop when scanning malformed tags.

However, the scanner in golang.org/x/text/internal/language/parse.go normalizes underscore characters to hyphens on the fly during parsing. An attacker can construct a payload substituting underscore characters for hyphens. Because the CVE-2022-32149 guard exclusively counts literal hyphen characters, the input bypasses the restriction entirely.

When the parser processes these normalized tokens, it evaluates the length of each token. If a token exceeds the limit of eight bytes, the parser falls back to an internal gobble function. This function uses runtime.memmove to shift the remaining memory buffer contents. When processing N malformed tokens, the continuous buffer shift operations trigger quadratic-time O(N^2) computational complexity.

Code Analysis

The vulnerable middleware implementation in internal/i18n/i18n.go accepts the raw header string without validation. The application does not define a custom HTTP header limit, defaulting to the Go standard library limit of 1 MiB. This allows an attacker to transmit 1,048,576 bytes of malicious language tags in a single request.

// Vulnerable Middleware code in internal/i18n/i18n.go
func Middleware() gin.HandlerFunc {
    return func(ctx *gin.Context) {
        explicit := explicitLocaleFromRequest(ctx)
        acceptLanguage := strings.TrimSpace(ctx.GetHeader(\"Accept-Language\"))
        locale := systemDefaultLocale()
        if explicit != "" {
            locale = ResolveLocale(explicit, acceptLanguage)
        }
        setLocaleContext(ctx, locale, acceptLanguage)
        ctx.Next()
    }
}

The flow moves from the middleware directly into the language tag parser. The diagram below illustrates the exact request processing path leading to CPU exhaustion.

The security fix introduced in Ech0 version 5.0.1 resolves this issue by enforcing validation limits on the count of separator characters. Specifically, the patch validates that the combined count of hyphens and underscores does not exceed a secure threshold. This limits the worst-case time complexity of the parser and prevents CPU amplification. This mitigation is complete because it addresses the underlying parsing path before it reaches the vulnerable Go standard library code.

Exploitation Methodology

Exploitation is straightforward and requires zero authentication or special server configurations. The attacker identifies public endpoints that invoke the i18n middleware, which typically includes the default root path. A payload is structured by repeating underscore-prefixed tokens of length nine to trigger the gobble code path. A single 1 MiB payload is sufficient to pin a CPU core for several seconds.

# Example of single-line bash exploit payload execution
PAYLOAD=\"en$(python3 -c 'print(\"_abcdefghi\" * 100000, end=\"\")')\"
curl -s -H \"Accept-Language: ${PAYLOAD}\" http://127.0.0.1:18300/

The target application processes the request synchronously inside the current goroutine. This blocks the execution thread until the parsing loop finishes. Because Go multiplexes goroutines over a pool of operating system threads, saturating the threads causes complete application unresponsiveness.

Impact Assessment

The security impact of this vulnerability is a high-impact denial of service. A single malicious request consuming 1 MiB of bandwidth can lock a single CPU core for up to 7.9 seconds when evaluated twice. Attackers can scale this technique to block all available processing threads on a multi-core server with minimal effort.

To achieve a sustained denial of service, an attacker only needs to transmit roughly 10 MiB of data per second. This low bandwidth requirement makes the vulnerability easy to exploit using basic consumer internet connections. The attack does not require persistent connections or session maintenance, facilitating simple distributed amplification attacks.

This vulnerability does not directly permit data exfiltration or arbitrary code execution. The entire impact is confined to resource exhaustion and application availability. However, the ease of trigger and the lack of prerequisites makes this a highly critical availability threat for deployments of Ech0.

Remediation & Mitigation

Remediation requires upgrading the Ech0 package to version 5.0.1 or higher. This version implements input sanitization limits on the Accept-Language header. For installations where immediate upgrade is impossible, developers should implement a custom middleware handler that truncates or rejects long headers.

// Mitigation: Add helper to reject high-separator headers
const maxSeparators = 32
func sanitizeHeader(header string) string {
    if strings.Count(header, \"-\") + strings.Count(header, \"_\") > maxSeparators {
        return \"\"
    }
    return header
}

Additionally, operations teams can configure front-end reverse proxies such as Nginx or HAProxy to restrict the maximum size of incoming HTTP headers. Restricting HTTP request headers to 8 KiB or smaller provides an effective external mitigation layer. This prevents malicious payloads from ever reaching the Go application environment.

Technical Appendix

CVSS Score
8.7/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Systems

Ech0 publishing platform (github.com/lin-snow/ech0)

Affected Versions Detail

Product
Affected Versions
Fixed Version
github.com/lin-snow/ech0
lin-snow
< 5.0.15.0.1
AttributeDetail
CWE IDCWE-770
Attack VectorNetwork
CVSS8.7 (High)
ComplexityLow
ImpactDenial of Service (CPU Exhaustion)
Exploit StatusProof-of-Concept Available
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1499.004Application Exhaustion Flood
Impact
CWE-770
Allocation of Resources Without Limits or Throttling

The product allocates memory, CPU, or other resources without limits or throttling, allowing an attacker to cause resource exhaustion.

References & Sources

  • [1]GitHub Security Advisory GHSA-MQXV-9RM6-W8QC
  • [2]Ech0 Repository Homepage
  • [3]Vulnerable Middleware File

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•20 minutes ago•CVE-2026-54448
6.5

CVE-2026-54448: Denial of Service in Trivy Helm Chart Parser via Decompression Bomb

CVE-2026-54448 is a critical denial of service vulnerability in Trivy's Infrastructure-as-Code (IaC) misconfiguration scanning engine. Prior to version 0.71.0, Trivy utilized a custom archive parser to unpack Helm chart tarballs (.tgz) during automated scans. This custom implementation iterated through compressed files and loaded their entire raw contents into system memory using the io.ReadAll function without implementing size limits or threshold checks, enabling an attacker to trigger an immediate heap-allocation crash or system Out-of-Memory (OOM) termination using a decompression bomb.

Alon Barad
Alon Barad
2 views•7 min read
•about 1 hour ago•GHSA-9HC2-HJX8-Q6PV
9.6

GHSA-9HC2-HJX8-Q6PV: Remote Code Execution in TidGi Desktop via Malicious TiddlyWiki Repository Import

A critical remote code execution vulnerability exists in TidGi Desktop up to version 0.13.0. The flaw allows an attacker to execute arbitrary code with Node.js privileges when a user imports or clones a malicious TiddlyWiki repository. This occurs due to the automatic execution of 'startup' modules defined in user-imported tiddler files.

Alon Barad
Alon Barad
2 views•5 min read
•about 2 hours ago•GHSA-HGJX-R89M-M7V4
9.9

GHSA-HGJX-R89M-M7V4: Remote Code Execution via Path Traversal in FacturaScripts

FacturaScripts is an open-source PHP-based enterprise resource planning (ERP) and billing software. A critical path traversal vulnerability in the file-handling logic allows authenticated attackers with file upload permissions to write arbitrary files to any location on the system writable by the web server user. By writing custom server configuration files (.htaccess) to directories excluded from default rewrite rules, attackers can map allowed file types (like .png) to the PHP interpreter, leading to full remote code execution.

Amit Schendel
Amit Schendel
5 views•7 min read
•about 3 hours ago•GHSA-7RX3-5WX3-5V76
7.7

GHSA-7rx3-5wx3-5v76: Missing Authorization in Nebula-mesh Webhook Subscription API Enables Server-Side Request Forgery

Nebula-mesh allows non-admin operators to disable webhook SSRF (Server-Side Request Forgery) protection via the allow_private parameter. Low-privilege operators can configure webhook endpoints targeting internal endpoints and trigger lifecycle events on resources they own, bypassing network access controls.

Amit Schendel
Amit Schendel
6 views•4 min read
•about 3 hours ago•GHSA-Q3V2-XJ35-9GRX
4.9

GHSA-Q3V2-XJ35-9GRX: Unrestricted Configuration Resolution in Umbraco.AI Leads to Sensitive Information Exposure

An information exposure vulnerability exists in Umbraco.AI package versions up to 1.13.0, where an authenticated backoffice user with elevated privileges can resolve and retrieve arbitrary configuration values from the global ASP.NET Core IConfiguration hierarchy.

Alon Barad
Alon Barad
7 views•6 min read
•about 4 hours ago•CVE-2025-61670
3.3

CVE-2025-61670: Memory Leak in Wasmtime C/C++ API WebAssembly GC Reference Handling

A technical analysis of CVE-2025-61670, a memory leak vulnerability in Wasmtime's C and C++ API bindings. The issue stems from a refactoring in version 37.0.0 that transitioned garbage-collected reference tracking to host heap-allocated OwnedRooted types without updating FFI ownership semantics.

Alon Barad
Alon Barad
5 views•7 min read