All Echo Framework CVEs — Complete Vulnerability History
Echo is a high-performance Go HTTP framework. Its CVE count is low — the main known CVE is an open redirect in certain configurations.
Go
N/A weekly downloads
1 CVE total
Full CVE history
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2023-29401 | 2023 | MEDIUM | Open redirect via crafted Location header | Fixed v4.11.2 |
Current safe version: v4.11.4
# Before
"github.com/labstack/echo/v4 v4.9.0"
# After
"github.com/labstack/echo/v4 v4.11.4"
Then run: go mod tidy
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Is Echo safer than Gin?
Both have minimal direct CVE histories. The main security considerations for Go HTTP frameworks are their handling of middleware, TLS configuration, and request validation — not just CVE counts.
How do I add security headers in Echo?
Use Echo's built-in secure middleware: e.Use(middleware.Secure()). This adds HSTS, X-Frame-Options, X-Content-Type-Options, and other security headers automatically.