CVE-2022-40083
Published: 28 September 2022
Summary
CVE-2022-40083 is a critical-severity Open Redirect (CWE-601) vulnerability in Labstack Echo. Its CVSS base score is 9.6 (Critical).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Labstack Echo version 4.8.0 contains an open redirect vulnerability in its Static Handler component that can be abused to trigger server-side request forgery. The flaw is tracked as CVE-2022-40083, carries a CVSS 3.1 score of 9.6, and is classified under CWE-601.
An unauthenticated remote attacker can supply a crafted URL that the static handler follows, resulting in SSRF that may allow the attacker to reach internal resources or perform actions on the server’s behalf. The attack requires user interaction but needs no privileges and can produce high impact on confidentiality, integrity, and availability when the SSRF succeeds.
The associated GitHub issue provides the primary public reference for the flaw. Exploitation probability rose sharply after disclosure, reaching a peak EPSS score of 0.8308 on 2025-12-11 before settling at the current value of 0.5877, indicating sustained attacker interest in the vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-6783
Vulnerability details
Labstack Echo v4.8.0 was discovered to contain an open redirect vulnerability via the Static Handler component. This vulnerability can be leveraged by attackers to cause a Server-Side Request Forgery (SSRF).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.