Skip to main content

Echo 5.2.1

Release Date: June 15, 2026

Echo 5.2.1 has been released — a security-focused update that addresses a path traversal vulnerability in static file serving and brings several improvements to the Go web framework's middleware and routing.

Security Fix: Static File Path Traversal

The headline change in Echo 5.2.1 is a defense-in-depth fix for a path traversal vulnerability (GHSA-vfp3-v2gw-7wfq). Static file serving methods and middleware no longer unescape paths by default, ensuring consistency with how the Router interprets paths. This prevents attackers from using URL-encoded path separators like %2f to bypass route guards on subdirectories.

The previous DisablePathUnescaping option (on StaticConfig and StaticDirectoryHandlerConfig) is deprecated and replaced by EnablePathUnescaping — meaning safe defaults are now the default, and you must explicitly opt in to the older, riskier behavior.

Breaking Changes

  • Static middleware behavior — Path unescaping in static file handlers is now disabled by default. Review your static file configuration if you relied on unescaped paths
  • Deprecated option renamedDisablePathUnescaping is deprecated; use EnablePathUnescaping instead

What Changed Under the Hood

This release reverts portions of PR #3009 and instead disables path escaping at the default configuration level for all static methods and middleware. The previous fix rejected explicitly encoded separators at the handler level, while this patch makes the no-unescape behavior the default so new configurations are safe without extra opt-out steps.

How to Upgrade

Update your Go module dependencies:

go get github.com/labstack/echo/[email protected]

If your application relies on URL-decoded paths for static file serving, set EnablePathUnescaping: true in your static middleware configuration — but review the security implications first.

Echo 5.2.1 is a recommended upgrade for all production users due to the security fix. Review your static file serving setup and test thoroughly after upgrading.

What is New?

By continuing to use the site, you agree to the use of cookies.