Cyber Resilience

CVE-2022-40083

CriticalPublic PoC

Published: 28 September 2022

Published
28 September 2022
Modified
21 May 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.5877 98.3th percentile
Risk Priority 54 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40083 is a critical-severity Open Redirect (CWE-601) vulnerability in Labstack Echo. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Labstack Echo version 4.8.0 contains an open redirect vulnerability in its Static Handler component that can be abused to trigger server-side request forgery. The flaw is tracked as CVE-2022-40083, carries a CVSS 3.1 score of 9.6, and is classified under CWE-601.

An unauthenticated remote attacker can supply a crafted URL that the static handler follows, resulting in SSRF that may allow the attacker to reach internal resources or perform actions on the server’s behalf. The attack requires user interaction but needs no privileges and can produce high impact on confidentiality, integrity, and availability when the SSRF succeeds.

The associated GitHub issue provides the primary public reference for the flaw. Exploitation probability rose sharply after disclosure, reaching a peak EPSS score of 0.8308 on 2025-12-11 before settling at the current value of 0.5877, indicating sustained attacker interest in the vulnerability.

EU & UK References

Vulnerability details

Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

labstack
echo
4.8.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References