{"ecosystem":"go","package":"github.com/gofiber/fiber","version":null,"bugs":[{"id":965,"ecosystem":"go","package_name":"github.com/gofiber/fiber","affected_version":null,"fixed_version":"2.52.11","bug_id":"osv:GO-2026-4471","title":"Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() on crypto/rand failure in github.com/gofiber/fiber","description":"Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure in github.com/gofiber/fiber","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v","labels":["CVE-2025-66630","GHSA-68rr-p4fp-j59v"],"created_at":"2026-04-19T04:32:25.065208+00:00","updated_at":"2026-04-19T04:32:25.065208+00:00"},{"id":964,"ecosystem":"go","package_name":"github.com/gofiber/fiber","affected_version":"2.52.6","fixed_version":"2.52.7","bug_id":"osv:GO-2025-3706","title":"Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber","description":"Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm","labels":["CVE-2025-48075","GHSA-hg3g-gphw-5hhm"],"created_at":"2026-04-19T04:32:25.064759+00:00","updated_at":"2026-04-19T04:32:25.064759+00:00"},{"id":963,"ecosystem":"go","package_name":"github.com/gofiber/fiber","affected_version":null,"fixed_version":"2.52.5","bug_id":"osv:GO-2024-2959","title":"Session Middleware Token Injection Vulnerability in github.com/gofiber/fiber","description":"Session Middleware Token Injection Vulnerability in github.com/gofiber/fiber","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v","labels":["CVE-2024-38513","GHSA-98j2-3j3p-fw2v"],"created_at":"2026-04-19T04:32:25.064320+00:00","updated_at":"2026-04-19T04:32:25.064320+00:00"},{"id":962,"ecosystem":"go","package_name":"github.com/gofiber/fiber","affected_version":null,"fixed_version":"1.12.6","bug_id":"osv:GO-2021-0108","title":"CRLF vulnerability in Fiber in github.com/gofiber/fiber","description":"Due to improper input sanitization, a maliciously constructed filename could cause a file download to use an attacker controlled filename, as well as injecting additional headers into an HTTP response.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/pull/579","labels":["CVE-2020-15111","GHSA-9cx9-x2gp-9qvh"],"created_at":"2026-04-19T04:32:25.063876+00:00","updated_at":"2026-04-19T04:32:25.063876+00:00"},{"id":961,"ecosystem":"go","package_name":"github.com/gofiber/fiber","affected_version":null,"fixed_version":"1.12.6","bug_id":"osv:GHSA-9cx9-x2gp-9qvh","title":"CRLF vulnerability in Fiber","description":"### Impact\nThe filename that is given in [c.Attachment()](https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc.\n\n### Steps to reproduce\n```go\npackage main\n\nimport \"github.com/gofiber/fiber\"\n\nconst badFileName = \"another secret document.pdf\\\"\\r\\nLocation: google.com\\r\\nAuthorization: \\\"example_of_session_fixation\"\n\nfunc splitTheResponse(c *fiber.Ctx) {\n\tc.Attachment(badFileName)\n}\n\nfunc main() {\n\tapp := fiber.New()\n\tapp.Get(\"/attack\", splitTheResponse)\n\tapp.Listen(\"127.0.0.1:8080\")\n}\n```\n```\nHTTP/1.1 200 OK\nDate: Fri, 10 Jul 2020 19:47:04 GMT\nContent-Type: application/octet-stream\nContent-Length: 0\nContent-Disposition: attachment; filename=\"another secret document.pdf\"\nLocation: google.com\nAuthorization: \"example_of_session_fixation\"\n```\n\n### Patches\nThis issue has been patched in `v1.12.6` with commit [579](https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f) escaping the filename by default.\n\n### Workarounds\nYou could of course serialize the input yourself before passing it to `ctx.Attachment()`, this is actually a good practice by default. But in case you forget, we got you covered 👍 \n\n### References\nA CRLF injection attack is one of several types of injection attacks. It can be used to escalate to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning, cache-based defacement, and more. A CRLF injection vulnerability exists if an attacker can inject the CRLF characters into a web application, for example using a user input form or an HTTP request, [see acunetix](https://www.acunetix.com/websitesecurity/crlf-injection/)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [gofiber/fiber](https://github.com/gofiber/fiber)\n* Join us on [Discord](https://gofiber.io/discord)","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh","labels":["CVE-2020-15111","GO-2021-0108"],"created_at":"2026-04-19T04:32:25.063344+00:00","updated_at":"2026-04-19T04:32:25.063344+00:00"},{"id":959,"ecosystem":"go","package_name":"github.com/gofiber/fiber","affected_version":null,"fixed_version":"2.49.2","bug_id":"osv:GHSA-3q5p-3558-364f","title":"Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`","description":"### Impact\nThis vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost.\n\nIn it's implementation it uses c.IPs():\n\n```go\n// IPs returns a string slice of IP addresses specified in the X-Forwarded-For request header.\n// When IP validation is enabled, only valid IPs are returned.\nfunc (c *Ctx) IPs() []string {\n    return c.extractIPsFromHeader(HeaderXForwardedFor)\n}\n```\n\nThereby, setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) \n\n### Patches\nThis issue has been patched in `v2.49.2` with commit [b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc](https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc)\n\n### Workarounds\nCurrently, there are no known workarounds to remediate this vulnerability without upgrading to the patched version. We strongly advise users to apply the patch as soon as it is released.\n\n### References\nFor further information and context regarding this security issue, please refer to the following resources:\n\n- [Mozilla Developer Network - X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)\n\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f","labels":["CVE-2023-41338","GO-2023-2052"],"created_at":"2026-04-19T04:32:25.061487+00:00","updated_at":"2026-04-19T04:32:25.061487+00:00"},{"id":960,"ecosystem":"go","package_name":"github.com/gofiber/fiber","affected_version":null,"fixed_version":"2.52.5","bug_id":"osv:GHSA-98j2-3j3p-fw2v","title":"Session Middleware Token Injection Vulnerability","description":"A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.\n\n## Impact\nThe identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted.\n\n## Patches\nThe issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability.\n\n## Workarounds\nUsers who are unable to upgrade immediately can apply the following workarounds to reduce the risk:\n\n1. **Validate Session IDs**: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server.\n2. **Session Management**: Regularly rotate session IDs and enforce strict session expiration policies.\n\n## References\nFor more information on session best practices:\n- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\n\nUsers are encouraged to review these references and take immediate action to secure their applications.","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v","labels":["CVE-2024-38513","GO-2024-2959"],"created_at":"2026-04-19T04:32:25.062605+00:00","updated_at":"2026-04-19T04:32:25.062605+00:00"}],"total":7,"_cache":"miss"}