GHSA-FPW6-HRG5-Q5X5: GHSA-FPW6-HRG5-Q5X5: Irrevocable Access Tokens and Nil-Pointer Dereference i…

1 / 2

GHSA-FPW6-HRG5-Q5X5: GHSA-FPW6-HRG5-Q5X5: Irrevocable Access Tokens and Nil-Pointer Dereference in Ech0

DEV Community·CVE Reports·25 days ago

#WX4lcmX8

#security #cve #cybersecurity #ghsa #tokens #ech0

Reading 0:00

15s threshold

GHSA-FPW6-HRG5-Q5X5: Irrevocable Access Tokens and Nil-Pointer Dereference in Ech0 Vulnerability ID: GHSA-FPW6-HRG5-Q5X5 CVSS Score: 7.4 Published: 2026-05-07 Ech0 access tokens created with the 'never expire' option generate JSON Web Tokens (JWT) missing the 'exp' claim. This structural omission causes a nil-pointer dereference during logout and prevents the JTI blacklisting mechanism from functioning. Consequently, leaked access tokens cannot be revoked by administrators. TL;DR A missing expiration claim in Ech0's 'never expire' JWTs causes panics and silently breaks token revocation, allowing attackers to maintain perpetual access with stolen tokens.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-FPW6-HRG5-Q5X5: GHSA-FPW6-HRG5-Q5X5: Irrevocable Access Tokens and Nil-Pointer Dereference in Ech0