Common Weakness Enumeration

CWE-319

Allowed

Cleartext Transmission of Sensitive Information

Abstraction: Base · Status: Draft

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

1147 vulnerabilities reference this CWE, most recent first.

GHSA-GMXM-PR58-V5JC

Vulnerability from github – Published: 2023-04-12 18:30 – Updated: 2023-04-12 22:19
VLAI
Summary
Jenkins Azure Key Vault Plugin does not properly mask credentials
Details

Multiple Jenkins plugins do not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:

  • The credentials are printed in build steps executing on an agent (typically inside a node block).

  • Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.

The following plugins are affected by this vulnerability:

  • Kubernetes 3909.v1f2c633e8590 and earlier (SECURITY-3079 / CVE-2023-30513)

  • Azure Key Vault 187.va_cd5fecd198a_ and earlier (SECURITY-3051 / CVE-2023-30514)

  • Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)

The following plugins have been updated to properly mask credentials in the build log when push mode for durable task logging is enabled:

  • Kubernetes 3910.ve59cec5e33ea_ (SECURITY-3079 / CVE-2023-30513)

  • Azure Key Vault 188.vf46b_7fa_846a_1 (SECURITY-3051 / CVE-2023-30514)

As of publication of this advisory, there is no fix available for the following plugin:

  • Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:azure-keyvault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "188.vf46b"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-30514"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-12T22:19:49Z",
    "nvd_published_at": "2023-04-12T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Multiple Jenkins plugins do not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:\n\n- The credentials are printed in build steps executing on an agent (typically inside a node block).\n\n- Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.\n\nThe following plugins are affected by this vulnerability:\n\n- Kubernetes 3909.v1f2c633e8590 and earlier (SECURITY-3079 / CVE-2023-30513)\n\n- Azure Key Vault 187.va_cd5fecd198a_ and earlier (SECURITY-3051 / CVE-2023-30514)\n\n- Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)\n\nThe following plugins have been updated to properly mask credentials in the build log when push mode for durable task logging is enabled:\n\n- Kubernetes 3910.ve59cec5e33ea_ (SECURITY-3079 / CVE-2023-30513)\n\n- Azure Key Vault 188.vf46b_7fa_846a_1 (SECURITY-3051 / CVE-2023-30514)\n\nAs of publication of this advisory, there is no fix available for the following plugin:\n\n- Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)",
  "id": "GHSA-gmxm-pr58-v5jc",
  "modified": "2023-04-12T22:19:49Z",
  "published": "2023-04-12T18:30:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30514"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2023/04/13/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Azure Key Vault Plugin does not properly mask credentials"
}

GHSA-GP67-C7J2-2QG2

Vulnerability from github – Published: 2022-05-24 16:52 – Updated: 2022-06-28 22:35
VLAI
Summary
Insertion of Sensitive Information into Log File in Jenkins Mask Passwords Plugin
Details

Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.12.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:mask-passwords"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.13.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10370"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319",
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-28T22:35:52Z",
    "nvd_published_at": "2019-08-07T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Mask Passwords Plugin 2.12.0 and earlier transmits globally configured passwords in plain text as part of the configuration form, potentially resulting in their exposure.",
  "id": "GHSA-gp67-c7j2-2qg2",
  "modified": "2022-06-28T22:35:52Z",
  "published": "2022-05-24T16:52:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10370"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/mask-passwords-plugin/pull/20"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/mask-passwords-plugin/commit/aadefdbf319954cf0c5acbe032637e1c0a924f37"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/mask-passwords-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-08-07/#SECURITY-157"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/08/07/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Insertion of Sensitive Information into Log File in Jenkins Mask Passwords Plugin"
}

GHSA-GP9C-7R9H-X95G

Vulnerability from github – Published: 2024-02-07 18:30 – Updated: 2025-11-04 00:30
VLAI
Details

IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server. IBM X-Force Id: 254957.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-32328"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-02-07T17:15:08Z",
    "severity": "HIGH"
  },
  "details": "IBM Security Verify Access 10.0.0.0 through 10.0.6.1 uses insecure protocols in some instances that could allow an attacker on the network to take control of the server.  IBM X-Force Id:  254957.",
  "id": "GHSA-gp9c-7r9h-x95g",
  "modified": "2025-11-04T00:30:46Z",
  "published": "2024-02-07T18:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32328"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/254657"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/pages/node/7106586"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2024/Nov/0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GPF3-4FW6-P76W

Vulnerability from github – Published: 2022-12-13 18:30 – Updated: 2022-12-15 21:30
VLAI
Details

A vulnerability has been identified in SICAM PAS/PQS (All versions < V7.0). Affected software transmits the database credentials for the inbuilt SQL server in cleartext. In combination with the by default enabled xp_cmdshell feature unauthenticated remote attackers could execute custom OS commands. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-43724"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-13T16:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability has been identified in SICAM PAS/PQS (All versions \u003c V7.0). Affected software transmits the database credentials for the inbuilt SQL server in cleartext. In combination with the by default enabled xp_cmdshell feature unauthenticated remote attackers could execute custom OS commands. At the time of assigning the CVE, the affected firmware version of the component has already been superseded by succeeding mainline versions.",
  "id": "GHSA-gpf3-4fw6-p76w",
  "modified": "2022-12-15T21:30:28Z",
  "published": "2022-12-13T18:30:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43724"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-849072.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GPWJ-XRHP-6HPW

Vulnerability from github – Published: 2022-05-24 17:30 – Updated: 2022-05-24 17:30
VLAI
Details

A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-25645"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-10-13T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.",
  "id": "GHSA-gpwj-xrhp-6hpw",
  "modified": "2022-05-24T17:30:35Z",
  "published": "2022-05-24T17:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25645"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1883988"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00028.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20201103-0004"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2020/dsa-4774"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00035.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00042.html"
    },
    {
      "type": "WEB",
      "url": "http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GQPW-8C2M-GG9Q

Vulnerability from github – Published: 2022-05-24 17:04 – Updated: 2022-05-24 17:04
VLAI
Details

An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices. Admin credentials are sent over cleartext HTTP.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-19890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-12-18T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered on Humax Wireless Voice Gateway HGB10R-2 20160817_1855 devices. Admin credentials are sent over cleartext HTTP.",
  "id": "GHSA-gqpw-8c2m-gg9q",
  "modified": "2022-05-24T17:04:04Z",
  "published": "2022-05-24T17:04:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19890"
    },
    {
      "type": "WEB",
      "url": "https://github.com/V1n1v131r4/HGB10R-2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-GR4X-2WJ5-G5M3

Vulnerability from github – Published: 2025-08-20 12:31 – Updated: 2025-08-20 12:31
VLAI
Details

In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57727"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-20T10:15:30Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference",
  "id": "GHSA-gr4x-2wj5-g5m3",
  "modified": "2025-08-20T12:31:14Z",
  "published": "2025-08-20T12:31:14Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57727"
    },
    {
      "type": "WEB",
      "url": "https://www.jetbrains.com/privacy-security/issues-fixed"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRJV-RC2C-54R5

Vulnerability from github – Published: 2022-09-01 00:00 – Updated: 2022-09-07 00:01
VLAI
Details

Any attempt (good or bad) to log into AutomationDirect Stride Field I/O with a web browser may result in the device responding with its password in the communication packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-2485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-31T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "Any attempt (good or bad) to log into AutomationDirect Stride Field I/O with a web browser may result in the device responding with its password in the communication packets.",
  "id": "GHSA-grjv-rc2c-54r5",
  "modified": "2022-09-07T00:01:50Z",
  "published": "2022-09-01T00:00:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2485"
    },
    {
      "type": "WEB",
      "url": "https://cdn.automationdirect.com/static/firmware/product_advisory/PA-COM-006.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-05"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRMH-8693-2942

Vulnerability from github – Published: 2023-12-07 15:30 – Updated: 2025-11-04 21:30
VLAI
Details

The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network traffic.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39172"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-07T14:15:07Z",
    "severity": "CRITICAL"
  },
  "details": "The affected devices transmit sensitive information unencrypted allowing a remote unauthenticated attacker to capture and modify network traffic.",
  "id": "GHSA-grmh-8693-2942",
  "modified": "2025-11-04T21:30:50Z",
  "published": "2023-12-07T15:30:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39172"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/fulldisclosure/2023/Nov/4"
    },
    {
      "type": "WEB",
      "url": "http://seclists.org/fulldisclosure/2023/Nov/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GV83-GQW6-9J2C

Vulnerability from github – Published: 2026-07-06 20:43 – Updated: 2026-07-06 20:43
VLAI
Summary
GoFiber never set HSTS header in helmet middleware due to incorrect protocol check
Details

Summary

The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security (HSTS) response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol() — which returns the HTTP protocol version string (e.g., "HTTP/1.1", "HTTP/2.0") — instead of c.Scheme() — which returns the URL scheme ("http" or "https"). Since c.Protocol() never equals "https" in any real deployment, the HSTS header is permanently disabled, defeating the security protection.

Details

Root cause: middleware/helmet/helmet.go, line 67:

if c.Protocol() == "https" && cfg.HSTSMaxAge != 0 {

c.Protocol() (defined at req.go:865-867) delegates to fasthttp.Request.Header.Protocol(), which returns the HTTP protocol version: - "HTTP/1.1" for HTTP/1.1 connections - "HTTP/2.0" for HTTP/2 connections

The correct method is c.Scheme() (defined at req.go:844-862), which returns: - "http" for plain HTTP connections - "https" for TLS connections

Since "HTTP/1.1" != "https" always evaluates to true, the entire HSTS block (lines 67-76) is dead code.

Note on test coverage: The existing helmet test (helmet_test.go) passes because it uses ctx.Request.Header.SetProtocol("https") to artificially force Protocol() to return "https". However, fasthttp.Request.Header.SetProtocol() sets the HTTP version field, and real HTTP requests never have protocol "https" — they have "HTTP/1.1" or "HTTP/2.0". The test is validating the wrong thing.

PoC

Clean-checkout maintainer-runnable recipe:

  1. Save the following as middleware/helmet/poc_hsts_test.go:
package helmet

import (
    "crypto/tls"
    "net/http/httptest"
    "testing"

    "github.com/gofiber/fiber/v3"
)

func Test_PoC_HSTS_NeverSet(t *testing.T) {
    app := fiber.New()
    app.Use(New(Config{
        HSTSMaxAge: 31536000,
    }))
    app.Get("/", func(c fiber.Ctx) error {
        return c.SendString("ok")
    })

    // Simulate HTTPS connection
    req := httptest.NewRequest(fiber.MethodGet, "/", nil)
    req.TLS = &tls.ConnectionState{}

    resp, _ := app.Test(req)
    hsts := resp.Header.Get("Strict-Transport-Security")

    if hsts == "" {
        t.Log("BUG CONFIRMED: HSTS header not set. c.Protocol() returns 'HTTP/1.1', not 'https'")
        t.Log("Fix: change c.Protocol() == 'https' to c.Scheme() == 'https' on line 67")
    }
}
  1. Run: go test -run Test_PoC_HSTS_NeverSet -v ./middleware/helmet/

Expected vulnerable output:

=== RUN   Test_PoC_HSTS_NeverSet
    BUG CONFIRMED: HSTS header not set. c.Protocol() returns 'HTTP/1.1', not 'https'
    Fix: change c.Protocol() == 'https' to c.Scheme() == 'https' on line 67
--- PASS: Test_PoC_HSTS_NeverSet

Expected output after fix:

=== RUN   Test_PoC_HSTS_NeverSet
--- PASS: Test_PoC_HSTS_NeverSet
    (HSTS header is set: "max-age=31536000; includeSubDomains")

Observed output from this environment (commit ee98695f):

=== RUN   Test_PoC_HSTS_NeverSet
    poc_hsts_test.go:39: HSTS header value: ""
    poc_hsts_test.go:42: BUG CONFIRMED: HSTS header is NOT set even over TLS
    poc_hsts_test.go:43: Root cause: helmet.go:67 uses c.Protocol() which returns HTTP version
    poc_hsts_test.go:44: c.Protocol() returns 'HTTP/1.1' not 'https'
    poc_hsts_test.go:45: Fix: use c.Scheme() == 'https' instead of c.Protocol() == 'https'
--- PASS: Test_PoC_HSTS_NeverSet

Negative/control case: With HSTSMaxAge: 0 (default), HSTS is correctly not set (this is expected behavior, not a bug).

Cleanup: Remove poc_hsts_test.go after verification.

Impact

The HSTS header is never applied in production, leaving all users vulnerable to: - SSL stripping attacks: An active network attacker can downgrade HTTPS connections to HTTP, intercepting traffic between the client and server. - Protocol downgrade: Without HSTS, browsers will silently accept HTTP connections to the site, even if the site supports HTTPS. - Cookie theft over HTTP: Session cookies without the Secure flag will be sent over HTTP if the user is tricked into an HTTP connection.

This affects any application that: 1. Uses the helmet middleware 2. Configures HSTSMaxAge > 0 expecting HSTS protection 3. Serves traffic over HTTPS

The vulnerability requires an active MITM attacker on the network path, which is realistic in public Wi-Fi, corporate networks, and ISP-level scenarios.

Suggested remediation

In middleware/helmet/helmet.go, line 67, replace c.Protocol() with c.Scheme():

// Before (broken):
if c.Protocol() == "https" && cfg.HSTSMaxAge != 0 {

// After (fixed):
if c.Scheme() == "https" && cfg.HSTSMaxAge != 0 {

Additionally, update the existing test to use a realistic TLS simulation instead of SetProtocol("https"):

// Before (artificial - sets HTTP version to "https" which never happens in practice):
ctx.Request.Header.SetProtocol("https")

// After (realistic - simulates TLS connection):
ctx.RequestCtx().Request.Header.SetProtocol("HTTP/1.1")
ctx.RequestCtx().TLS = &tls.ConnectionState{}

Regression test: Add a test case that verifies HSTS is set when req.TLS is non-nil and HSTSMaxAge > 0, without using SetProtocol.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.3.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/fiber"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-53624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-319"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-06T20:43:12Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `helmet` middleware in gofiber/fiber never sets the `Strict-Transport-Security` (HSTS) response header, even when `HSTSMaxAge` is explicitly configured, because the condition check at `helmet.go:67` uses `c.Protocol()` \u2014 which returns the HTTP protocol version string (e.g., `\"HTTP/1.1\"`, `\"HTTP/2.0\"`) \u2014 instead of `c.Scheme()` \u2014 which returns the URL scheme (`\"http\"` or `\"https\"`). Since `c.Protocol()` never equals `\"https\"` in any real deployment, the HSTS header is permanently disabled, defeating the security protection.\n\n### Details\n\n**Root cause:** `middleware/helmet/helmet.go`, line 67:\n\n```go\nif c.Protocol() == \"https\" \u0026\u0026 cfg.HSTSMaxAge != 0 {\n```\n\n`c.Protocol()` (defined at `req.go:865-867`) delegates to `fasthttp.Request.Header.Protocol()`, which returns the HTTP protocol version:\n- `\"HTTP/1.1\"` for HTTP/1.1 connections\n- `\"HTTP/2.0\"` for HTTP/2 connections\n\nThe correct method is `c.Scheme()` (defined at `req.go:844-862`), which returns:\n- `\"http\"` for plain HTTP connections\n- `\"https\"` for TLS connections\n\nSince `\"HTTP/1.1\" != \"https\"` always evaluates to `true`, the entire HSTS block (lines 67-76) is dead code.\n\n**Note on test coverage:** The existing helmet test (`helmet_test.go`) passes because it uses `ctx.Request.Header.SetProtocol(\"https\")` to artificially force `Protocol()` to return `\"https\"`. However, `fasthttp.Request.Header.SetProtocol()` sets the HTTP version field, and real HTTP requests never have protocol `\"https\"` \u2014 they have `\"HTTP/1.1\"` or `\"HTTP/2.0\"`. The test is validating the wrong thing.\n\n### PoC\n\n**Clean-checkout maintainer-runnable recipe:**\n\n1. Save the following as `middleware/helmet/poc_hsts_test.go`:\n\n```go\npackage helmet\n\nimport (\n    \"crypto/tls\"\n    \"net/http/httptest\"\n    \"testing\"\n\n    \"github.com/gofiber/fiber/v3\"\n)\n\nfunc Test_PoC_HSTS_NeverSet(t *testing.T) {\n    app := fiber.New()\n    app.Use(New(Config{\n        HSTSMaxAge: 31536000,\n    }))\n    app.Get(\"/\", func(c fiber.Ctx) error {\n        return c.SendString(\"ok\")\n    })\n\n    // Simulate HTTPS connection\n    req := httptest.NewRequest(fiber.MethodGet, \"/\", nil)\n    req.TLS = \u0026tls.ConnectionState{}\n\n    resp, _ := app.Test(req)\n    hsts := resp.Header.Get(\"Strict-Transport-Security\")\n\n    if hsts == \"\" {\n        t.Log(\"BUG CONFIRMED: HSTS header not set. c.Protocol() returns \u0027HTTP/1.1\u0027, not \u0027https\u0027\")\n        t.Log(\"Fix: change c.Protocol() == \u0027https\u0027 to c.Scheme() == \u0027https\u0027 on line 67\")\n    }\n}\n```\n\n2. Run: `go test -run Test_PoC_HSTS_NeverSet -v ./middleware/helmet/`\n\n**Expected vulnerable output:**\n```\n=== RUN   Test_PoC_HSTS_NeverSet\n    BUG CONFIRMED: HSTS header not set. c.Protocol() returns \u0027HTTP/1.1\u0027, not \u0027https\u0027\n    Fix: change c.Protocol() == \u0027https\u0027 to c.Scheme() == \u0027https\u0027 on line 67\n--- PASS: Test_PoC_HSTS_NeverSet\n```\n\n**Expected output after fix:**\n```\n=== RUN   Test_PoC_HSTS_NeverSet\n--- PASS: Test_PoC_HSTS_NeverSet\n    (HSTS header is set: \"max-age=31536000; includeSubDomains\")\n```\n\n**Observed output from this environment (commit `ee98695f`):**\n```\n=== RUN   Test_PoC_HSTS_NeverSet\n    poc_hsts_test.go:39: HSTS header value: \"\"\n    poc_hsts_test.go:42: BUG CONFIRMED: HSTS header is NOT set even over TLS\n    poc_hsts_test.go:43: Root cause: helmet.go:67 uses c.Protocol() which returns HTTP version\n    poc_hsts_test.go:44: c.Protocol() returns \u0027HTTP/1.1\u0027 not \u0027https\u0027\n    poc_hsts_test.go:45: Fix: use c.Scheme() == \u0027https\u0027 instead of c.Protocol() == \u0027https\u0027\n--- PASS: Test_PoC_HSTS_NeverSet\n```\n\n**Negative/control case:** With `HSTSMaxAge: 0` (default), HSTS is correctly not set (this is expected behavior, not a bug).\n\n**Cleanup:** Remove `poc_hsts_test.go` after verification.\n\n### Impact\n\nThe HSTS header is never applied in production, leaving all users vulnerable to:\n- **SSL stripping attacks:** An active network attacker can downgrade HTTPS connections to HTTP, intercepting traffic between the client and server.\n- **Protocol downgrade:** Without HSTS, browsers will silently accept HTTP connections to the site, even if the site supports HTTPS.\n- **Cookie theft over HTTP:** Session cookies without the `Secure` flag will be sent over HTTP if the user is tricked into an HTTP connection.\n\nThis affects any application that:\n1. Uses the `helmet` middleware\n2. Configures `HSTSMaxAge \u003e 0` expecting HSTS protection\n3. Serves traffic over HTTPS\n\nThe vulnerability requires an active MITM attacker on the network path, which is realistic in public Wi-Fi, corporate networks, and ISP-level scenarios.\n\n### Suggested remediation\n\nIn `middleware/helmet/helmet.go`, line 67, replace `c.Protocol()` with `c.Scheme()`:\n\n```go\n// Before (broken):\nif c.Protocol() == \"https\" \u0026\u0026 cfg.HSTSMaxAge != 0 {\n\n// After (fixed):\nif c.Scheme() == \"https\" \u0026\u0026 cfg.HSTSMaxAge != 0 {\n```\n\nAdditionally, update the existing test to use a realistic TLS simulation instead of `SetProtocol(\"https\")`:\n\n```go\n// Before (artificial - sets HTTP version to \"https\" which never happens in practice):\nctx.Request.Header.SetProtocol(\"https\")\n\n// After (realistic - simulates TLS connection):\nctx.RequestCtx().Request.Header.SetProtocol(\"HTTP/1.1\")\nctx.RequestCtx().TLS = \u0026tls.ConnectionState{}\n```\n\n**Regression test:** Add a test case that verifies HSTS is set when `req.TLS` is non-nil and `HSTSMaxAge \u003e 0`, without using `SetProtocol`.",
  "id": "GHSA-gv83-gqw6-9j2c",
  "modified": "2026-07-06T20:43:12Z",
  "published": "2026-07-06T20:43:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-gv83-gqw6-9j2c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gofiber/fiber"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "GoFiber never set HSTS header in helmet middleware due to incorrect protocol check"
}

Mitigation
Architecture and Design

Before transmitting, encrypt the data using reliable, confidentiality-protecting cryptographic protocols.

Mitigation
Implementation

When using web applications with SSL, use SSL for the entire session from login to logout, not just for the initial login page.

Mitigation
Implementation

When designing hardware platforms, ensure that approved encryption algorithms (such as those recommended by NIST) protect paths from security critical data to trusted user applications.

Mitigation
Testing

Use tools and techniques that require manual (human) analysis, such as penetration testing, threat modeling, and interactive tools that allow the tester to record and modify an active session. These may be more effective than strictly automated techniques. This is especially the case with weaknesses that are related to design and business rules.

Mitigation
Operation

Configure servers to use encrypted channels for communication, which may include SSL or other secure protocols.

CAPEC-102: Session Sidejacking

Session sidejacking takes advantage of an unencrypted communication channel between a victim and target system. The attacker sniffs traffic on a network looking for session tokens in unencrypted traffic. Once a session token is captured, the attacker performs malicious actions by using the stolen token with the targeted application to impersonate the victim. This attack is a specific method of session hijacking, which is exploiting a valid session token to gain unauthorized access to a target system or information. Other methods to perform a session hijacking are session fixation, cross-site scripting, or compromising a user or server machine and stealing the session token.

CAPEC-117: Interception

An adversary monitors data streams to or from the target for information gathering purposes. This attack may be undertaken to solely gather sensitive information or to support a further attack against the target. This attack pattern can involve sniffing network traffic as well as other types of data streams (e.g. radio). The adversary can attempt to initiate the establishment of a data stream or passively observe the communications as they unfold. In all variants of this attack, the adversary is not the intended recipient of the data stream. In contrast to other means of gathering information (e.g., targeting data leaks), the adversary must actively position themself so as to observe explicit data channels (e.g. network traffic) and read the content. However, this attack differs from a Adversary-In-the-Middle (CAPEC-94) attack, as the adversary does not alter the content of the communications nor forward data to the intended recipient.

CAPEC-383: Harvesting Information via API Event Monitoring

An adversary hosts an event within an application framework and then monitors the data exchanged during the course of the event for the purpose of harvesting any important data leaked during the transactions. One example could be harvesting lists of usernames or userIDs for the purpose of sending spam messages to those users. One example of this type of attack involves the adversary creating an event within the sub-application. Assume the adversary hosts a "virtual sale" of rare items. As other users enter the event, the attacker records via AiTM (CAPEC-94) proxy the user_ids and usernames of everyone who attends. The adversary would then be able to spam those users within the application using an automated script.

CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content

An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.

CAPEC-65: Sniff Application Code

An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.