GHSA-QJV7-627W-8QJV

Vulnerability from github – Published: 2026-05-05 20:13 – Updated: 2026-05-13 14:20
VLAI
Summary
Fiber vulnerable to XSS in AutoFormat Content Negotiation
Details

Summary

Description

A Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affects github.com/gofiber/fiber/v3 (DefaultRes.AutoFormat) through version 3.1.0 and github.com/gofiber/fiber/v2 (Ctx.Format) through version 2.52.12.

The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. Five of the six branches of the same method already escape. JSON, XML, MsgPack, and CBOR all route through encoders that neutralize markup; the txt branch emits text/plain and cannot execute. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply."

Details

The issue resides in res.go within (*DefaultRes).AutoFormat(). The method negotiates against the request Accept header, selects one of html | json | txt | xml | msgpack | cbor, and serializes the caller-supplied body accordingly.

The "html" branch concatenates the stringified body directly into HTML markup with no output encoding: - accept comes from r.c.Accepts(...), i.e. is fully attacker-controlled. An attacker can force the "html" branch on any AutoFormat() call regardless of which format the developer tested against. - b is produced from body via direct assignment (string / []byte) or fmt.Sprintf("%v", body). No html.EscapeString is applied. - The resulting string is sent as text/html; charset=utf-8, so browsers render it as active HTML.

// res.go
func (r *DefaultRes) AutoFormat(body any) error {

    accept := r.c.DefaultReq.Accepts("html", "json", "txt", "xml", "msgpack", "cbor")

    r.Type(accept)
    var b string
    switch val := body.(type) {
    case string:
        b = val
    case []byte:
        b = r.c.app.toString(val)
    default:
        b = fmt.Sprintf("%v", val)
    }

    switch accept {
    case "txt":
        return r.SendString(b)
    case "json":
        return r.JSON(body)
    case "xml":
        return r.XML(body)
    case "html":
        return r.SendString("<p>" + b + "</p>")
    case "msgpack":
        return r.MsgPack(body)
    case "cbor":
        return r.CBOR(body)
    }
    return r.SendString(b)
}

Impact

This impacts all current v3 releases ≤ 3.1.0 containing DefaultRes.AutoFormat, and all current v2 releases ≤ 2.52.12 where the identical "<p>" + b + "</p>" construction exists in (*Ctx).Format(). Exploitation requires that an application call c.AutoFormat(v) where v (or a field stringified by %v) contains request-influenced data.

A handler that uses AutoFormat() to serve multiple representations of the same data can be turned into an HTML XSS sink when the client sends Accept: text/html, even if the developer only tested the JSON path.

This may result in: - Reflected XSS in the application's origin via any request-derived value reaching AutoFormat. - Stored XSS where the reflected value originates from persisted input later passed to AutoFormat.

Proposed Patch

The injection surface is r.Type("html") followed by r.SendString(b) with unescaped caller data, where it constructs markup on the caller's behalf around a value whose HTML-ness the caller did not declare. A few options: - AutoFormat() should treat body as data, not markup, in the "html" branch and escape it before concatenating it into the framework-generated <p> wrapper. Callers that need raw negotiated HTML should use Format() with an explicit HTML handler. - Introduce a sibling method that escapes, leave AutoFormat alone for backward compatibility.

HTML-escape the value in the "html" branch before concatenating it into the <p> wrapper.

import "html"

// ...
case "html":
    return r.SendString("<p>" + html.EscapeString(b) + "</p>")

html.EscapeString escapes <, >, &, ', ", which is sufficient for an element-text context. Apply the same change to v2's (*Ctx).Format().

Proof of Concept

# Create project directory
mkdir fiber-xss-poc && cd fiber-xss-poc

# Initialize Go module
go mod init fiber-xss-poc

# Install Fiber v3
go get github.com/gofiber/fiber/v3

# Create the PoC file
cat > main.go << 'EOF'
package main

import (
    "github.com/gofiber/fiber/v3"
)

type User struct {
    ID   int    `json:"id"`
    Name string `json:"name"`
}

func main() {
    app := fiber.New()

    app.Get("/api/user", func(c fiber.Ctx) error {
        user := User{
            ID:   1,
            Name: c.Query("name", "anonymous"),
        }
        return c.AutoFormat(user)
    })

    app.Listen(":3000")
}
EOF

# Run it
go run main.go
}

Benign JSON

curl -s 'http://127.0.0.1:3000/api/user?name=Alice' -H 'Accept: application/json'
{"id":1,"name":"Alice"}

HTML sink enables XSS

curl -s 'http://127.0.0.1:3000/api/user?name=<script>alert(document.domain)</script>' -H 'Accept: text/html'
<p>{1 <script>alert(document.domain)</script>}</p>
Severity
5.3 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.1.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/fiber/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.52.12"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/fiber/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.52.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T20:13:23Z",
    "nvd_published_at": "2026-05-11T23:19:48Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n**Description**\n\nA Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying `Accept: text/html` on any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affects `github.com/gofiber/fiber/v3` (`DefaultRes.AutoFormat`) through version 3.1.0 and `github.com/gofiber/fiber/v2` (`Ctx.Format`) through version 2.52.12. \n\nThe developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. Five of the six branches of the same method already escape. `JSON`, `XML`, `MsgPack`, and `CBOR` all route through encoders that neutralize markup; the txt branch emits `text/plain` and cannot execute. The html branch is the sole outlier in a method whose name (`AutoFormat`) and symmetrical structure actively telegraph \"safe, format-agnostic reply.\"\n\n## Details\nThe issue resides in `res.go` within `(*DefaultRes).AutoFormat()`. The method negotiates against the request Accept header, selects one of `html | json | txt | xml | msgpack | cbor`, and serializes the caller-supplied body accordingly.\n\nThe \"html\" branch concatenates the stringified body directly into HTML markup with no output encoding:\n- `accept` comes from `r.c.Accepts(...)`, i.e. is fully attacker-controlled. An attacker can force the \"html\" branch on any `AutoFormat()` call regardless of which format the developer tested against.\n- `b` is produced from `body` via direct assignment (`string` / `[]byte`) or `fmt.Sprintf(\"%v\", body)`. No `html.EscapeString` is applied.\n- The resulting string is sent as `text/html; charset=utf-8`, so browsers render it as active HTML.\n\n```go\n// res.go\nfunc (r *DefaultRes) AutoFormat(body any) error {\n\n    accept := r.c.DefaultReq.Accepts(\"html\", \"json\", \"txt\", \"xml\", \"msgpack\", \"cbor\")\n\n    r.Type(accept)\n    var b string\n    switch val := body.(type) {\n    case string:\n        b = val\n    case []byte:\n        b = r.c.app.toString(val)\n    default:\n        b = fmt.Sprintf(\"%v\", val)\n    }\n\n    switch accept {\n    case \"txt\":\n        return r.SendString(b)\n    case \"json\":\n        return r.JSON(body)\n    case \"xml\":\n        return r.XML(body)\n    case \"html\":\n        return r.SendString(\"\u003cp\u003e\" + b + \"\u003c/p\u003e\")\n    case \"msgpack\":\n        return r.MsgPack(body)\n    case \"cbor\":\n        return r.CBOR(body)\n    }\n    return r.SendString(b)\n}\n```\n## Impact\n\nThis impacts all current v3 releases \u2264 3.1.0 containing `DefaultRes.AutoFormat`, and all current v2 releases \u2264 2.52.12 where the identical `\"\u003cp\u003e\" + b + \"\u003c/p\u003e\"` construction exists in `(*Ctx).Format()`. Exploitation requires that an application call `c.AutoFormat(v)` where `v` (or a field stringified by `%v`) contains request-influenced data.\n\nA handler that uses `AutoFormat()` to serve multiple representations of the same data can be turned into an HTML XSS sink when the client sends `Accept: text/html`, even if the developer only tested the JSON path.\n\nThis may result in:\n- **Reflected XSS** in the application\u0027s origin via any request-derived value reaching `AutoFormat`.\n- **Stored XSS** where the reflected value originates from persisted input later passed to `AutoFormat`.\n\n## Proposed Patch\n\nThe injection surface is `r.Type(\"html\")` followed by `r.SendString(b)` with unescaped caller data, where it constructs markup on the caller\u0027s behalf around a value whose HTML-ness the caller did not declare. A few options:\n- `AutoFormat()` should treat `body` as data, not markup, in the `\"html\"` branch and escape it before concatenating it into the framework-generated `\u003cp\u003e` wrapper. Callers that need raw negotiated HTML should use `Format()` with an explicit HTML handler.\n- Introduce a sibling method that escapes, leave `AutoFormat` alone for backward compatibility.\n\nHTML-escape the value in the \"html\" branch before concatenating it into the `\u003cp\u003e` wrapper.\n```go\nimport \"html\"\n\n// ...\ncase \"html\":\n    return r.SendString(\"\u003cp\u003e\" + html.EscapeString(b) + \"\u003c/p\u003e\")\n```\n\n`html.EscapeString` escapes `\u003c`, `\u003e`, `\u0026`, `\u0027`, `\"`, which is sufficient for an element-text context. Apply the same change to v2\u0027s `(*Ctx).Format()`.\n\n## Proof of Concept\n\n```bash\n# Create project directory\nmkdir fiber-xss-poc \u0026\u0026 cd fiber-xss-poc\n\n# Initialize Go module\ngo mod init fiber-xss-poc\n\n# Install Fiber v3\ngo get github.com/gofiber/fiber/v3\n\n# Create the PoC file\ncat \u003e main.go \u003c\u003c \u0027EOF\u0027\npackage main\n\nimport (\n\t\"github.com/gofiber/fiber/v3\"\n)\n\ntype User struct {\n\tID   int    `json:\"id\"`\n\tName string `json:\"name\"`\n}\n\nfunc main() {\n\tapp := fiber.New()\n\t\n\tapp.Get(\"/api/user\", func(c fiber.Ctx) error {\n\t\tuser := User{\n\t\t\tID:   1,\n\t\t\tName: c.Query(\"name\", \"anonymous\"),\n\t\t}\n\t\treturn c.AutoFormat(user)\n\t})\n\n\tapp.Listen(\":3000\")\n}\nEOF\n\n# Run it\ngo run main.go\n}\n```\n\nBenign JSON\n```bash\ncurl -s \u0027http://127.0.0.1:3000/api/user?name=Alice\u0027 -H \u0027Accept: application/json\u0027\n{\"id\":1,\"name\":\"Alice\"}\n```\n\nHTML sink enables XSS\n```bash\ncurl -s \u0027http://127.0.0.1:3000/api/user?name=\u003cscript\u003ealert(document.domain)\u003c/script\u003e\u0027 -H \u0027Accept: text/html\u0027\n\u003cp\u003e{1 \u003cscript\u003ealert(document.domain)\u003c/script\u003e}\u003c/p\u003e\n```",
  "id": "GHSA-qjv7-627w-8qjv",
  "modified": "2026-05-13T14:20:14Z",
  "published": "2026-05-05T20:13:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qjv7-627w-8qjv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42554"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gofiber/fiber"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fiber vulnerable to XSS in AutoFormat Content Negotiation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.