Summary
Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving %2F as-is), while StaticDirectoryHandler unescapes %2F to / before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization.
Details
Root cause 1 — router.go lines 798-802:
The router uses req.URL.RawPath for route matching when useEscapedPathForRouting is false (the default). This means /admin%2Fsecret.txt is treated as a single path segment and does NOT match the /admin/* route pattern.
if !r.useEscapedPathForRouting && req.URL.RawPath != "" {
path = req.URL.RawPath
}
Root cause 2 — echo.go lines 559-568:
StaticDirectoryHandler calls url.PathUnescape() on the path parameter before opening files. This converts %2F back to /, resolving admin/secret.txt on disk.
if !disablePathUnescaping {
tmpPath, err := url.PathUnescape(p)
p = tmpPath
}
name := filepath.ToSlash(filepath.Clean(strings.TrimPrefix(p, "/")))
PoC (Screenshot)
Sample:

403:

Bypass with encoded slash:

Impact
Unauthorized static file disclosure. Applications that protect route prefixes with authentication middleware while also serving static files from a broader root are vulnerable. An attacker only needs to encode the slash (/ → %2F) in the URL to bypass all route-level protection.
Common affected pattern:
adminGroup := e.Group("/admin", authMiddleware)
e.StaticFS("/", os.DirFS("public"))
Summary
Echo's router and static file handler disagree on URL path decoding. The router matches routes using the raw encoded path (preserving
%2Fas-is), whileStaticDirectoryHandlerunescapes%2Fto/before resolving filesystem paths. This allows an attacker to bypass route-level access controls and read static files without authorization.Details
Root cause 1 —
router.golines 798-802:The router uses
req.URL.RawPathfor route matching whenuseEscapedPathForRoutingis false (the default). This means/admin%2Fsecret.txtis treated as a single path segment and does NOT match the/admin/*route pattern.Root cause 2 —
echo.golines 559-568:StaticDirectoryHandlercallsurl.PathUnescape()on the path parameter before opening files. This converts%2Fback to/, resolvingadmin/secret.txton disk.PoC (Screenshot)
Sample:

403:

Bypass with encoded slash:

Impact
Unauthorized static file disclosure. Applications that protect route prefixes with authentication middleware while also serving static files from a broader root are vulnerable. An attacker only needs to encode the slash (
/→%2F) in the URL to bypass all route-level protection.Common affected pattern: