GHSA-35HP-HQMV-8QG8

Vulnerability from github – Published: 2026-04-28 22:28 – Updated: 2026-05-08 13:42
VLAI?
Summary
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Details

Summary

Fiber cache middleware's default key generator uses only c.Path() and does not include the query string. As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response.

This can cause response mix-up (cache poisoning-like behavior) for endpoints where response content depends on query parameters.

Details

Default configuration in cache middleware:

  • KeyGenerator: func(c fiber.Ctx) string { return utils.CopyString(c.Path()) }

References: - https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92 - https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621

The existing test demonstrates that when handler output depends on query parameter id, a second request with a different query still returns the first cached response (cache hit), confirming query is not part of the default cache key.

PoC

Minimal PoC:

package main

import (
    "log"

    "github.com/gofiber/fiber/v3"
    "github.com/gofiber/fiber/v3/middleware/cache"
)

func main() {
    app := fiber.New()
    app.Use(cache.New()) // default config

    app.Get("/", func(c fiber.Ctx) error {
        return c.SendString(c.Query("id", "1"))
    })

    log.Fatal(app.Listen(":3000"))
}

Reproduction:

  1. GET /?id=1
  2. Cache miss
  3. Response body: 1
  4. GET /?id=2
  5. Cache hit
  6. Response body: 1 (expected 2)

Local verification command used:

go test ./middleware/cache -run Test_Cache_WithNoCacheRequestDirective -count=1

Observed result: test passes, confirming this is current behavior.

Impact

  • Responses that should vary by query parameters can be mixed between requests.
  • In real deployments, this may leak or corrupt user/tenant-specific content if query parameters influence context or data selection.
  • This is deployment-dependent but security-relevant, and not safe-by-default for query-variant responses.

Suggested remediation

  • Change default cache key generation to include path + normalized query string (or canonicalized original URL).
  • Keep ability for custom key generators.
  • Add explicit documentation warning that path-only keying is unsafe for query-dependent responses.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/fiber/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-30246"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-436",
      "CWE-524"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-28T22:28:14Z",
    "nvd_published_at": "2026-05-05T13:16:28Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nFiber cache middleware\u0027s default key generator uses only `c.Path()` and does not include the query string.\nAs a result, requests like `/?id=1` and `/?id=2` can map to the same cache key and share the same cached response.\n\nThis can cause response mix-up (cache poisoning-like behavior) for endpoints where response content depends on query parameters.\n\n### Details\nDefault configuration in cache middleware:\n\n- `KeyGenerator: func(c fiber.Ctx) string { return utils.CopyString(c.Path()) }`\n\nReferences:\n- https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92\n- https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621\n\nThe existing test demonstrates that when handler output depends on query parameter `id`, a second request with a different query still returns the first cached response (cache hit), confirming query is not part of the default cache key.\n\n### PoC\nMinimal PoC:\n\n```go\npackage main\n\nimport (\n    \"log\"\n\n    \"github.com/gofiber/fiber/v3\"\n    \"github.com/gofiber/fiber/v3/middleware/cache\"\n)\n\nfunc main() {\n    app := fiber.New()\n    app.Use(cache.New()) // default config\n\n    app.Get(\"/\", func(c fiber.Ctx) error {\n        return c.SendString(c.Query(\"id\", \"1\"))\n    })\n\n    log.Fatal(app.Listen(\":3000\"))\n}\n```\n\nReproduction:\n\n1. `GET /?id=1`\n   - Cache miss\n   - Response body: `1`\n2. `GET /?id=2`\n   - Cache hit\n   - Response body: `1` (expected `2`)\n\nLocal verification command used:\n\n```bash\ngo test ./middleware/cache -run Test_Cache_WithNoCacheRequestDirective -count=1\n```\n\nObserved result: test passes, confirming this is current behavior.\n\n### Impact\n- Responses that should vary by query parameters can be mixed between requests.\n- In real deployments, this may leak or corrupt user/tenant-specific content if query parameters influence context or data selection.\n- This is deployment-dependent but security-relevant, and not safe-by-default for query-variant responses.\n\n### Suggested remediation\n- Change default cache key generation to include path + normalized query string (or canonicalized original URL).\n- Keep ability for custom key generators.\n- Add explicit documentation warning that path-only keying is unsafe for query-dependent responses.",
  "id": "GHSA-35hp-hqmv-8qg8",
  "modified": "2026-05-08T13:42:45Z",
  "published": "2026-04-28T22:28:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30246"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/commit/050ff1ff18511c1475b8ec627460216aaecddd4e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/commit/9a0d12c07ed895b84c72987f9288b04137afe5de"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gofiber/fiber"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go#L599-L621"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/blob/main/middleware/cache/config.go#L90-L92"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fiber\u0027s cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.