Sourced from github.com/labstack/echo/v5's releases.
v5.0.3 security (static middleware directory traversal under Windows)
Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by
@shblue21(labstack/echo#2891).This applies to cases when:
- Windows is used as OS
middleware.StaticConfig.Filesystemisnil(default)echo.Filesystemis has not been set explicitly (default)Full Changelog: https://github.com/labstack/echo/compare/v5.0.2...v5.0.3
v5.0.2 security (static middleware folder browsing)
Security
- Fix Static middleware when folder browsing is enabled (
config.Browse=true, defaults tofalse) lists all files/subfolders fromconfig.Filesystemroot folder and not starting fromconfig.Rootand requested folder in labstack/echo#2887 . Reported by@shblue21in labstack/echo#2886Full Changelog: https://github.com/labstack/echo/compare/v5.0.1...v5.0.2
v5.0.1 small fixes
What's Changed
- Panic MW: will now return a custom PanicStackError with stack trace by
@aldasin labstack/echo#2871- Docs: add missing err parameter to DenyHandler example by
@cgalibernin labstack/echo#2878- Context: improve websocket checks in IsWebSocket() [per RFC 6455] by
@raju-mechatronicsin labstack/echo#2875- Fix: Context.Json() should not send status code before serialization is complete by
@aldasin labstack/echo#2877New Contributors
@cgalibernmade their first contribution in labstack/echo#2878@raju-mechatronicsmade their first contribution in labstack/echo#2875Full Changelog: https://github.com/labstack/echo/compare/v5.0.0...v5.0.1
Sourced from github.com/labstack/echo/v5's changelog.
v5.0.3 - 2026-02-06
Security
- Fix directory traversal vulnerability under Windows in Static middleware when default Echo filesystem is used. Reported by
@shblue21.This applies to cases when:
- Windows is used as OS
middleware.StaticConfig.Filesystemisnil(default)echo.Filesystemis has not been set explicitly (default)Exposure is restricted to the active process working directory and its subfolders.
v5.0.2 - 2026-02-02
Security
- Fix Static middleware with
config.Browse=truelists all files/subfolders fromconfig.Filesystemroot and not starting fromconfig.Rootin labstack/echo#2887v5.0.1 - 2026-01-28
- Panic MW: will now return a custom PanicStackError with stack trace by
@aldasin labstack/echo#2871- Docs: add missing err parameter to DenyHandler example by
@cgalibernin labstack/echo#2878- improve: improve websocket checks in IsWebSocket() [per RFC 6455] by
@raju-mechatronicsin labstack/echo#2875- fix: Context.Json() should not send status code before serialization is complete by
@aldasin labstack/echo#2877
b1d4430
Merge pull request #2891
from aldas/fix_staticmw48f25a6
Fix test reporting different size due Windows / Linux line ending
inconsisten...6c16259
Fix directory traversal vulnerability under Windows in Static middleware
when...88d975a
Fix directory traversal vulnerability under Windows in Static middleware
when...09ccfba
Fill c.Request().Pattern field with route path to help standard library
based...68aaf3a
Changelog for version 5.0.226ec148
security (static middleware): fix bowser=true listing all file names
from giv...ba10490
Merge pull request #2880
from aldas/changelog_5010954d6e
Changelog for v5.0.1 release8e4c91f
Create SECURITY.md