Search

Find a vulnerability

Search criteria

    34 vulnerabilities found for fiber by gofiber

    CVE-2026-53624 (GCVE-0-2026-53624)

    Vulnerability from nvd – Published: 2026-07-08 19:32 – Updated: 2026-07-08 19:32
    VLAI
    Title
    Fiber: HSTS header never set in helmet middleware due to incorrect protocol check
    Summary
    Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 3.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:32:08.191Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-gv83-gqw6-9j2c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-gv83-gqw6-9j2c"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4389",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4389"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/04dd4e7754f61768fddccacc79057e416f13e6bf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/04dd4e7754f61768fddccacc79057e416f13e6bf"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v3.4.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v3.4.0"
            }
          ],
          "source": {
            "advisory": "GHSA-gv83-gqw6-9j2c",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber: HSTS header never set in helmet middleware due to incorrect protocol check"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53624",
        "datePublished": "2026-07-08T19:32:08.191Z",
        "dateReserved": "2026-06-09T20:16:59.646Z",
        "dateUpdated": "2026-07-08T19:32:08.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45045 (GCVE-0-2026-45045)

    Vulnerability from nvd – Published: 2026-07-08 19:26 – Updated: 2026-07-09 13:20
    VLAI
    Title
    Fiber: X-Real-IP Spoofing via Header.Add() in BalancerForward
    Summary
    Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers for logging, rate limiting, and access control. This issue is fixed in version 3.3.0 and 2.52.14.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 3.0.0-beta.2, < 3.3.0
    Affected: < 2.52.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45045",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:19:42.395861Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:20:08.367Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0-beta.2, \u003c 3.3.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.52.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers for logging, rate limiting, and access control. This issue is fixed in version 3.3.0 and 2.52.14."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:26:26.580Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-gcfq-8gqf-4876",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-gcfq-8gqf-4876"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4260",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4260"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4495",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4495"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/1403cc8292da3220e9316960b4030cc722a0f396",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/1403cc8292da3220e9316960b4030cc722a0f396"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/33c9501288ab47a429c8b5e701493f0c3c0af37d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/33c9501288ab47a429c8b5e701493f0c3c0af37d"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.14",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.14"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v3.3.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v3.3.0"
            }
          ],
          "source": {
            "advisory": "GHSA-gcfq-8gqf-4876",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber: X-Real-IP Spoofing via Header.Add() in BalancerForward"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45045",
        "datePublished": "2026-07-08T19:26:26.580Z",
        "dateReserved": "2026-05-08T18:07:27.341Z",
        "dateUpdated": "2026-07-09T13:20:08.367Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-44332 (GCVE-0-2026-44332)

    Vulnerability from nvd – Published: 2026-07-08 19:32 – Updated: 2026-07-09 14:33
    VLAI
    Title
    Fiber: Username Enumeration via Timing Oracle in BasicAuth Default Authorizer
    Summary
    Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 3.3.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44332",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:33:24.172923Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:33:29.004Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.3.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-203",
                  "description": "CWE-203: Observable Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:32:15.113Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-g5vh-55hw-rxm8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-g5vh-55hw-rxm8"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4245",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4245"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/c7ac00edd19f9669b1aebbec6e229658baaa059e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/c7ac00edd19f9669b1aebbec6e229658baaa059e"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v3.3.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v3.3.0"
            }
          ],
          "source": {
            "advisory": "GHSA-g5vh-55hw-rxm8",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber: Username Enumeration via Timing Oracle in BasicAuth Default Authorizer"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44332",
        "datePublished": "2026-07-08T19:32:15.113Z",
        "dateReserved": "2026-05-05T19:52:59.146Z",
        "dateUpdated": "2026-07-09T14:33:29.004Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42554 (GCVE-0-2026-42554)

    Vulnerability from nvd – Published: 2026-05-11 21:47 – Updated: 2026-05-15 18:24
    VLAI
    Title
    Fiber: XSS in AutoFormat Content Negotiation
    Summary
    Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.13
    Affected: >= 3.0.0-beta.2, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42554",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T18:24:24.733312Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T18:24:38.300Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0-beta.2, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph \"safe, format-agnostic reply.\" This vulnerability is fixed in 2.52.12 and 3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T21:47:17.133Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv"
            }
          ],
          "source": {
            "advisory": "GHSA-qjv7-627w-8qjv",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber: XSS in AutoFormat Content Negotiation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42554",
        "datePublished": "2026-05-11T21:47:17.133Z",
        "dateReserved": "2026-04-28T16:56:50.191Z",
        "dateUpdated": "2026-05-15T18:24:38.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30246 (GCVE-0-2026-30246)

    Vulnerability from nvd – Published: 2026-05-05 12:40 – Updated: 2026-05-05 15:04
    VLAI
    Title
    github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters
    Summary
    Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= v3.0.0-beta.2, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30246",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T15:03:58.218760Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T15:04:02.984Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= v3.0.0-beta.2, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436: Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T12:40:19.813Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8"
            },
            {
              "name": "https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621"
            },
            {
              "name": "https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92"
            }
          ],
          "source": {
            "advisory": "GHSA-35hp-hqmv-8qg8",
            "discovery": "UNKNOWN"
          },
          "title": "github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30246",
        "datePublished": "2026-05-05T12:40:19.813Z",
        "dateReserved": "2026-03-04T17:23:59.799Z",
        "dateUpdated": "2026-05-05T15:04:02.984Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25899 (GCVE-0-2026-25899)

    Vulnerability from nvd – Published: 2026-02-24 21:11 – Updated: 2026-02-24 21:37
    VLAI
    Title
    Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation
    Summary
    Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 3.0.0, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25899",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T21:37:21.605800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T21:37:33.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T21:11:17.804Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v3.1.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v3.1.0"
            }
          ],
          "source": {
            "advisory": "GHSA-2mr3-m5q5-wgp6",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25899",
        "datePublished": "2026-02-24T21:11:17.804Z",
        "dateReserved": "2026-02-06T21:08:39.131Z",
        "dateUpdated": "2026-02-24T21:37:33.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25891 (GCVE-0-2026-25891)

    Vulnerability from nvd – Published: 2026-02-24 21:08 – Updated: 2026-02-24 21:39
    VLAI
    Title
    Fiber has an Arbitrary File Read in Static Middleware on Windows
    Summary
    Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 3.0.0, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25891",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T21:39:00.083530Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T21:39:11.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T21:08:48.675Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3v"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4064",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4064"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86"
            }
          ],
          "source": {
            "advisory": "GHSA-m3c2-496v-cw3v",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber has an Arbitrary File Read in Static Middleware on Windows"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25891",
        "datePublished": "2026-02-24T21:08:48.675Z",
        "dateReserved": "2026-02-06T21:08:39.130Z",
        "dateUpdated": "2026-02-24T21:39:11.118Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25882 (GCVE-0-2026-25882)

    Vulnerability from nvd – Published: 2026-02-24 21:05 – Updated: 2026-02-24 21:39
    VLAI
    Title
    Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
    Summary
    Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-129 - Improper Validation of Array Index
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 2.0.0, < 2.52.12
    Affected: >= 3.0.0, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25882",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T21:39:39.261259Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T21:39:51.170Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.52.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-129",
                  "description": "CWE-129: Improper Validation of Array Index",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T21:09:57.502Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/3962",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/3962"
            },
            {
              "name": "https://github.com/gofiber/fiber/blob/main/path.go#L514",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/blob/main/path.go#L514"
            },
            {
              "name": "https://github.com/gofiber/fiber/blob/v2/path.go#L516",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/blob/v2/path.go#L516"
            }
          ],
          "source": {
            "advisory": "GHSA-mrq8-rjmw-wpq3",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber has a Denial of Service Vulnerability via Route Parameter Overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25882",
        "datePublished": "2026-02-24T21:05:28.211Z",
        "dateReserved": "2026-02-06T21:08:39.129Z",
        "dateUpdated": "2026-02-24T21:39:51.170Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66630 (GCVE-0-2025-66630)

    Vulnerability from nvd – Published: 2026-02-09 18:04 – Updated: 2026-02-10 16:02
    VLAI
    Title
    Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
    Summary
    Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66630",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T15:30:29.686589Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:02:43.238Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-338",
                  "description": "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-09T18:04:47.713Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.11"
            }
          ],
          "source": {
            "advisory": "GHSA-68rr-p4fp-j59v",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() \u2014 predictable / zero\u2011UUID on crypto/rand failure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66630",
        "datePublished": "2026-02-09T18:04:47.713Z",
        "dateReserved": "2025-12-05T15:42:44.716Z",
        "dateUpdated": "2026-02-10T16:02:43.238Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54801 (GCVE-0-2025-54801)

    Vulnerability from nvd – Published: 2025-08-05 23:33 – Updated: 2025-08-07 14:00
    VLAI
    Title
    Fiber Susceptible to Crash via `BodyParser` Due to Unvalidated Large Slice Index in Decoder
    Summary
    Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54801",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-07T13:59:43.620645Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-07T14:00:09.981Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber\u0027s Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-05T23:33:28.221Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
            }
          ],
          "source": {
            "advisory": "GHSA-qx2q-88mx-vhg7",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber Susceptible to Crash via `BodyParser` Due to Unvalidated Large Slice Index in Decoder"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54801",
        "datePublished": "2025-08-05T23:33:28.221Z",
        "dateReserved": "2025-07-29T16:50:28.395Z",
        "dateUpdated": "2025-08-07T14:00:09.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48075 (GCVE-0-2025-48075)

    Vulnerability from nvd – Published: 2025-05-22 17:25 – Updated: 2025-05-22 17:59
    VLAI
    Title
    Fiber panics when fiber.Ctx.BodyParser parses invalid range index
    Summary
    Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-129 - Improper Validation of Array Index
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 2.52.6, < 2.52.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48075",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T17:58:04.769002Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T17:59:02.707Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.52.6, \u003c 2.52.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser`  functionality. Version 2.52.7 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-129",
                  "description": "CWE-129: Improper Validation of Array Index",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-22T17:25:18.447Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
            }
          ],
          "source": {
            "advisory": "GHSA-hg3g-gphw-5hhm",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber panics when fiber.Ctx.BodyParser parses invalid range index"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-48075",
        "datePublished": "2025-05-22T17:25:18.447Z",
        "dateReserved": "2025-05-15T16:06:40.942Z",
        "dateUpdated": "2025-05-22T17:59:02.707Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-38513 (GCVE-0-2024-38513)

    Vulnerability from nvd – Published: 2024-07-01 18:31 – Updated: 2024-08-02 04:12
    VLAI
    Title
    Fiber Session Middleware Token Injection Vulnerability
    Summary
    Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.5
    Create a notification for this product.
    gofiber fiber Affected: 0 , < 2.52.5 (custom)
        cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fiber",
                "vendor": "gofiber",
                "versions": [
                  {
                    "lessThan": "2.52.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-38513",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-02T20:26:43.929677Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-02T20:31:39.546Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:12:25.224Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v"
              },
              {
                "name": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber\u0027s session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384: Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-01T18:31:13.028Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8"
            }
          ],
          "source": {
            "advisory": "GHSA-98j2-3j3p-fw2v",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber Session Middleware Token Injection Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-38513",
        "datePublished": "2024-07-01T18:31:13.028Z",
        "dateReserved": "2024-06-18T16:37:02.727Z",
        "dateUpdated": "2024-08-02T04:12:25.224Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-25124 (GCVE-0-2024-25124)

    Vulnerability from nvd – Published: 2024-02-21 21:01 – Updated: 2024-08-26 14:39
    VLAI
    Title
    Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
    Summary
    Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.1
    Create a notification for this product.
    gofiber fiber Affected: 0 , < 2.52.1 (custom)
        cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:36:21.623Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
              },
              {
                "name": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
              },
              {
                "name": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
              },
              {
                "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
              },
              {
                "name": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
              },
              {
                "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
              },
              {
                "name": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
              },
              {
                "name": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fiber",
                "vendor": "gofiber",
                "versions": [
                  {
                    "lessThan": "2.52.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25124",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-22T16:40:32.534976Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-26T14:39:19.825Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-21T21:01:44.672Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
            },
            {
              "name": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
            },
            {
              "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
            },
            {
              "name": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
            },
            {
              "name": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
            },
            {
              "name": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
            }
          ],
          "source": {
            "advisory": "GHSA-fmg4-x8pw-hjhg",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-25124",
        "datePublished": "2024-02-21T21:01:44.672Z",
        "dateReserved": "2024-02-05T14:14:46.380Z",
        "dateUpdated": "2024-08-26T14:39:19.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45141 (GCVE-0-2023-45141)

    Vulnerability from nvd – Published: 2023-10-16 20:48 – Updated: 2024-09-16 15:53
    VLAI
    Title
    CSRF Token Validation Vulnerability in fiber
    Summary
    Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.50.0
    Create a notification for this product.
    gofiber fiber Affected: 0 , < 2.50.0 (custom)
        cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:18.365Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fiber",
                "vendor": "gofiber",
                "versions": [
                  {
                    "lessThan": "2.50.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45141",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T15:22:04.464336Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T15:53:51.368Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.50.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user\u0027s behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-565",
                  "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-16T20:48:55.590Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p"
            }
          ],
          "source": {
            "advisory": "GHSA-mv73-f69x-444p",
            "discovery": "UNKNOWN"
          },
          "title": "CSRF Token Validation Vulnerability in fiber"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-45141",
        "datePublished": "2023-10-16T20:48:55.590Z",
        "dateReserved": "2023-10-04T16:02:46.329Z",
        "dateUpdated": "2024-09-16T15:53:51.368Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45128 (GCVE-0-2023-45128)

    Vulnerability from nvd – Published: 2023-10-16 20:45 – Updated: 2024-09-16 14:23
    VLAI
    Title
    CSRF Token Reuse Vulnerability in fiber
    Summary
    Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
    • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.50.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:18.999Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
              },
              {
                "name": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45128",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T14:23:34.651707Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T14:23:48.099Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.50.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-565",
                  "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-807",
                  "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-16T20:46:19.342Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
            }
          ],
          "source": {
            "advisory": "GHSA-94w9-97p3-p368",
            "discovery": "UNKNOWN"
          },
          "title": "CSRF Token Reuse Vulnerability in fiber"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-45128",
        "datePublished": "2023-10-16T20:45:07.068Z",
        "dateReserved": "2023-10-04T16:02:46.327Z",
        "dateUpdated": "2024-09-16T14:23:48.099Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2026-44332 (GCVE-0-2026-44332)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:32 – Updated: 2026-07-09 14:33
    VLAI
    Title
    Fiber: Username Enumeration via Timing Oracle in BasicAuth Default Authorizer
    Summary
    Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 3.3.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-44332",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T14:33:24.172923Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T14:33:29.004Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.3.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. Prior to 3.3.0, the default Authorizer function in the BasicAuth middleware in middleware/basicauth/config.go uses short-circuit evaluation that skips password hash comparison for non-existent usernames, enabling reliable remote username enumeration through response timing differences. This issue is fixed in version 3.3.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-203",
                  "description": "CWE-203: Observable Discrepancy",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:32:15.113Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-g5vh-55hw-rxm8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-g5vh-55hw-rxm8"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4245",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4245"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/c7ac00edd19f9669b1aebbec6e229658baaa059e",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/c7ac00edd19f9669b1aebbec6e229658baaa059e"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v3.3.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v3.3.0"
            }
          ],
          "source": {
            "advisory": "GHSA-g5vh-55hw-rxm8",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber: Username Enumeration via Timing Oracle in BasicAuth Default Authorizer"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-44332",
        "datePublished": "2026-07-08T19:32:15.113Z",
        "dateReserved": "2026-05-05T19:52:59.146Z",
        "dateUpdated": "2026-07-09T14:33:29.004Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-53624 (GCVE-0-2026-53624)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:32 – Updated: 2026-07-08 19:32
    VLAI
    Title
    Fiber: HSTS header never set in helmet middleware due to incorrect protocol check
    Summary
    Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0.
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 3.4.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 3.4.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319: Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:32:08.191Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-gv83-gqw6-9j2c",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-gv83-gqw6-9j2c"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4389",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4389"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/04dd4e7754f61768fddccacc79057e416f13e6bf",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/04dd4e7754f61768fddccacc79057e416f13e6bf"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v3.4.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v3.4.0"
            }
          ],
          "source": {
            "advisory": "GHSA-gv83-gqw6-9j2c",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber: HSTS header never set in helmet middleware due to incorrect protocol check"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-53624",
        "datePublished": "2026-07-08T19:32:08.191Z",
        "dateReserved": "2026-06-09T20:16:59.646Z",
        "dateUpdated": "2026-07-08T19:32:08.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-45045 (GCVE-0-2026-45045)

    Vulnerability from cvelistv5 – Published: 2026-07-08 19:26 – Updated: 2026-07-09 13:20
    VLAI
    Title
    Fiber: X-Real-IP Spoofing via Header.Add() in BalancerForward
    Summary
    Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers for logging, rate limiting, and access control. This issue is fixed in version 3.3.0 and 2.52.14.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-290 - Authentication Bypass by Spoofing
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 3.0.0-beta.2, < 3.3.0
    Affected: < 2.52.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-45045",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-09T13:19:42.395861Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-09T13:20:08.367Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0-beta.2, \u003c 3.3.0"
                },
                {
                  "status": "affected",
                  "version": "\u003c 2.52.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers for logging, rate limiting, and access control. This issue is fixed in version 3.3.0 and 2.52.14."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-290",
                  "description": "CWE-290: Authentication Bypass by Spoofing",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T19:26:26.580Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-gcfq-8gqf-4876",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-gcfq-8gqf-4876"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4260",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4260"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4495",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4495"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/1403cc8292da3220e9316960b4030cc722a0f396",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/1403cc8292da3220e9316960b4030cc722a0f396"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/33c9501288ab47a429c8b5e701493f0c3c0af37d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/33c9501288ab47a429c8b5e701493f0c3c0af37d"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.14",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.14"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v3.3.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v3.3.0"
            }
          ],
          "source": {
            "advisory": "GHSA-gcfq-8gqf-4876",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber: X-Real-IP Spoofing via Header.Add() in BalancerForward"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-45045",
        "datePublished": "2026-07-08T19:26:26.580Z",
        "dateReserved": "2026-05-08T18:07:27.341Z",
        "dateUpdated": "2026-07-09T13:20:08.367Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-42554 (GCVE-0-2026-42554)

    Vulnerability from cvelistv5 – Published: 2026-05-11 21:47 – Updated: 2026-05-15 18:24
    VLAI
    Title
    Fiber: XSS in AutoFormat Content Negotiation
    Summary
    Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply." This vulnerability is fixed in 2.52.12 and 3.1.0.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.13
    Affected: >= 3.0.0-beta.2, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-42554",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T18:24:24.733312Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T18:24:38.300Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.13"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0-beta.2, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph \"safe, format-agnostic reply.\" This vulnerability is fixed in 2.52.12 and 3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "LOW",
                "subIntegrityImpact": "LOW",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-11T21:47:17.133Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv"
            }
          ],
          "source": {
            "advisory": "GHSA-qjv7-627w-8qjv",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber: XSS in AutoFormat Content Negotiation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-42554",
        "datePublished": "2026-05-11T21:47:17.133Z",
        "dateReserved": "2026-04-28T16:56:50.191Z",
        "dateUpdated": "2026-05-15T18:24:38.300Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-30246 (GCVE-0-2026-30246)

    Vulnerability from cvelistv5 – Published: 2026-05-05 12:40 – Updated: 2026-05-05 15:04
    VLAI
    Title
    github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters
    Summary
    Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-436 - Interpretation Conflict
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= v3.0.0-beta.2, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-30246",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-05T15:03:58.218760Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-05T15:04:02.984Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= v3.0.0-beta.2, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-436",
                  "description": "CWE-436: Interpretation Conflict",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-05T12:40:19.813Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8"
            },
            {
              "name": "https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621"
            },
            {
              "name": "https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92"
            }
          ],
          "source": {
            "advisory": "GHSA-35hp-hqmv-8qg8",
            "discovery": "UNKNOWN"
          },
          "title": "github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-30246",
        "datePublished": "2026-05-05T12:40:19.813Z",
        "dateReserved": "2026-03-04T17:23:59.799Z",
        "dateUpdated": "2026-05-05T15:04:02.984Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25899 (GCVE-0-2026-25899)

    Vulnerability from cvelistv5 – Published: 2026-02-24 21:11 – Updated: 2026-02-24 21:37
    VLAI
    Title
    Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation
    Summary
    Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 3.0.0, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25899",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T21:37:21.605800Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T21:37:33.970Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T21:11:17.804Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v3.1.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v3.1.0"
            }
          ],
          "source": {
            "advisory": "GHSA-2mr3-m5q5-wgp6",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25899",
        "datePublished": "2026-02-24T21:11:17.804Z",
        "dateReserved": "2026-02-06T21:08:39.131Z",
        "dateUpdated": "2026-02-24T21:37:33.970Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25891 (GCVE-0-2026-25891)

    Vulnerability from cvelistv5 – Published: 2026-02-24 21:08 – Updated: 2026-02-24 21:39
    VLAI
    Title
    Fiber has an Arbitrary File Read in Static Middleware on Windows
    Summary
    Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 3.0.0, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25891",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T21:39:00.083530Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T21:39:11.118Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T21:08:48.675Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3v"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/4064",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/4064"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86"
            }
          ],
          "source": {
            "advisory": "GHSA-m3c2-496v-cw3v",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber has an Arbitrary File Read in Static Middleware on Windows"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25891",
        "datePublished": "2026-02-24T21:08:48.675Z",
        "dateReserved": "2026-02-06T21:08:39.130Z",
        "dateUpdated": "2026-02-24T21:39:11.118Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-25882 (GCVE-0-2026-25882)

    Vulnerability from cvelistv5 – Published: 2026-02-24 21:05 – Updated: 2026-02-24 21:39
    VLAI
    Title
    Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
    Summary
    Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-129 - Improper Validation of Array Index
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 2.0.0, < 2.52.12
    Affected: >= 3.0.0, < 3.1.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-25882",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-24T21:39:39.261259Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-24T21:39:51.170Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.0.0, \u003c 2.52.12"
                },
                {
                  "status": "affected",
                  "version": "\u003e= 3.0.0, \u003c 3.1.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 5.5,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-129",
                  "description": "CWE-129: Improper Validation of Array Index",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-24T21:09:57.502Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3"
            },
            {
              "name": "https://github.com/gofiber/fiber/pull/3962",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/pull/3962"
            },
            {
              "name": "https://github.com/gofiber/fiber/blob/main/path.go#L514",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/blob/main/path.go#L514"
            },
            {
              "name": "https://github.com/gofiber/fiber/blob/v2/path.go#L516",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/blob/v2/path.go#L516"
            }
          ],
          "source": {
            "advisory": "GHSA-mrq8-rjmw-wpq3",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber has a Denial of Service Vulnerability via Route Parameter Overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2026-25882",
        "datePublished": "2026-02-24T21:05:28.211Z",
        "dateReserved": "2026-02-06T21:08:39.129Z",
        "dateUpdated": "2026-02-24T21:39:51.170Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-66630 (GCVE-0-2025-66630)

    Vulnerability from cvelistv5 – Published: 2026-02-09 18:04 – Updated: 2026-02-10 16:02
    VLAI
    Title
    Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
    Summary
    Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.11
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-66630",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-02-10T15:30:29.686589Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-02-10T16:02:43.238Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.11"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "HIGH",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 9.2,
                "baseSeverity": "CRITICAL",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-338",
                  "description": "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-09T18:04:47.713Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.11",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.11"
            }
          ],
          "source": {
            "advisory": "GHSA-68rr-p4fp-j59v",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() \u2014 predictable / zero\u2011UUID on crypto/rand failure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-66630",
        "datePublished": "2026-02-09T18:04:47.713Z",
        "dateReserved": "2025-12-05T15:42:44.716Z",
        "dateUpdated": "2026-02-10T16:02:43.238Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-54801 (GCVE-0-2025-54801)

    Vulnerability from cvelistv5 – Published: 2025-08-05 23:33 – Updated: 2025-08-07 14:00
    VLAI
    Title
    Fiber Susceptible to Crash via `BodyParser` Due to Unvalidated Large Slice Index in Decoder
    Summary
    Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-789 - Memory Allocation with Excessive Size Value
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.9
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-54801",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-07T13:59:43.620645Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-07T14:00:09.981Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber\u0027s Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-789",
                  "description": "CWE-789: Memory Allocation with Excessive Size Value",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-05T23:33:28.221Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
            }
          ],
          "source": {
            "advisory": "GHSA-qx2q-88mx-vhg7",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber Susceptible to Crash via `BodyParser` Due to Unvalidated Large Slice Index in Decoder"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-54801",
        "datePublished": "2025-08-05T23:33:28.221Z",
        "dateReserved": "2025-07-29T16:50:28.395Z",
        "dateUpdated": "2025-08-07T14:00:09.981Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-48075 (GCVE-0-2025-48075)

    Vulnerability from cvelistv5 – Published: 2025-05-22 17:25 – Updated: 2025-05-22 17:59
    VLAI
    Title
    Fiber panics when fiber.Ctx.BodyParser parses invalid range index
    Summary
    Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-129 - Improper Validation of Array Index
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: >= 2.52.6, < 2.52.7
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-48075",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T17:58:04.769002Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T17:59:02.707Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003e= 2.52.6, \u003c 2.52.7"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser`  functionality. Version 2.52.7 fixes the issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "NONE",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-129",
                  "description": "CWE-129: Improper Validation of Array Index",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-22T17:25:18.447Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
            }
          ],
          "source": {
            "advisory": "GHSA-hg3g-gphw-5hhm",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber panics when fiber.Ctx.BodyParser parses invalid range index"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-48075",
        "datePublished": "2025-05-22T17:25:18.447Z",
        "dateReserved": "2025-05-15T16:06:40.942Z",
        "dateUpdated": "2025-05-22T17:59:02.707Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-38513 (GCVE-0-2024-38513)

    Vulnerability from cvelistv5 – Published: 2024-07-01 18:31 – Updated: 2024-08-02 04:12
    VLAI
    Title
    Fiber Session Middleware Token Injection Vulnerability
    Summary
    Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.5
    Create a notification for this product.
    gofiber fiber Affected: 0 , < 2.52.5 (custom)
        cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fiber",
                "vendor": "gofiber",
                "versions": [
                  {
                    "lessThan": "2.52.5",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-38513",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-02T20:26:43.929677Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-07-02T20:31:39.546Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T04:12:25.224Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v"
              },
              {
                "name": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.5"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber\u0027s session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-384",
                  "description": "CWE-384: Session Fixation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-07-01T18:31:13.028Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8"
            }
          ],
          "source": {
            "advisory": "GHSA-98j2-3j3p-fw2v",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber Session Middleware Token Injection Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-38513",
        "datePublished": "2024-07-01T18:31:13.028Z",
        "dateReserved": "2024-06-18T16:37:02.727Z",
        "dateUpdated": "2024-08-02T04:12:25.224Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-25124 (GCVE-0-2024-25124)

    Vulnerability from cvelistv5 – Published: 2024-02-21 21:01 – Updated: 2024-08-26 14:39
    VLAI
    Title
    Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
    Summary
    Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-346 - Origin Validation Error
    • CWE-942 - Permissive Cross-domain Policy with Untrusted Domains
    Assigner
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.52.1
    Create a notification for this product.
    gofiber fiber Affected: 0 , < 2.52.1 (custom)
        cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T23:36:21.623Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
              },
              {
                "name": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
              },
              {
                "name": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
              },
              {
                "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
              },
              {
                "name": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
              },
              {
                "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.1",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
              },
              {
                "name": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
              },
              {
                "name": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fiber",
                "vendor": "gofiber",
                "versions": [
                  {
                    "lessThan": "2.52.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-25124",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-02-22T16:40:32.534976Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-26T14:39:19.825Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.52.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 9.4,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-346",
                  "description": "CWE-346: Origin Validation Error",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-942",
                  "description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-02-21T21:01:44.672Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
            },
            {
              "name": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
            },
            {
              "name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
            },
            {
              "name": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
            },
            {
              "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
            },
            {
              "name": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
            },
            {
              "name": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
            }
          ],
          "source": {
            "advisory": "GHSA-fmg4-x8pw-hjhg",
            "discovery": "UNKNOWN"
          },
          "title": "Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-25124",
        "datePublished": "2024-02-21T21:01:44.672Z",
        "dateReserved": "2024-02-05T14:14:46.380Z",
        "dateUpdated": "2024-08-26T14:39:19.825Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45141 (GCVE-0-2023-45141)

    Vulnerability from cvelistv5 – Published: 2023-10-16 20:48 – Updated: 2024-09-16 15:53
    VLAI
    Title
    CSRF Token Validation Vulnerability in fiber
    Summary
    Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.50.0
    Create a notification for this product.
    gofiber fiber Affected: 0 , < 2.50.0 (custom)
        cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:18.365Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fiber",
                "vendor": "gofiber",
                "versions": [
                  {
                    "lessThan": "2.50.0",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45141",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T15:22:04.464336Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T15:53:51.368Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.50.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user\u0027s behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 8.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "LOW",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-565",
                  "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-16T20:48:55.590Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p"
            }
          ],
          "source": {
            "advisory": "GHSA-mv73-f69x-444p",
            "discovery": "UNKNOWN"
          },
          "title": "CSRF Token Validation Vulnerability in fiber"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-45141",
        "datePublished": "2023-10-16T20:48:55.590Z",
        "dateReserved": "2023-10-04T16:02:46.329Z",
        "dateUpdated": "2024-09-16T15:53:51.368Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-45128 (GCVE-0-2023-45128)

    Vulnerability from cvelistv5 – Published: 2023-10-16 20:45 – Updated: 2024-09-16 14:23
    VLAI
    Title
    CSRF Token Reuse Vulnerability in fiber
    Summary
    Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-20 - Improper Input Validation
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    • CWE-565 - Reliance on Cookies without Validation and Integrity Checking
    • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
    Assigner
    References
    Impacted products
    Vendor Product Version
    gofiber fiber Affected: < 2.50.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T20:14:18.999Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368",
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
              },
              {
                "name": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a",
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-45128",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T14:23:34.651707Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T14:23:48.099Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "fiber",
              "vendor": "gofiber",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.50.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 10,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20: Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352: Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-565",
                  "description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-807",
                  "description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-10-16T20:46:19.342Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
            },
            {
              "name": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
            }
          ],
          "source": {
            "advisory": "GHSA-94w9-97p3-p368",
            "discovery": "UNKNOWN"
          },
          "title": "CSRF Token Reuse Vulnerability in fiber"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-45128",
        "datePublished": "2023-10-16T20:45:07.068Z",
        "dateReserved": "2023-10-04T16:02:46.327Z",
        "dateUpdated": "2024-09-16T14:23:48.099Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }