github.com/gofiber/fiber known bugs

Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure in github.com/gofiber/fiber

Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber

Session Middleware Token Injection Vulnerability in github.com/gofiber/fiber

Due to improper input sanitization, a maliciously constructed filename could cause a file download to use an attacker controlled filename, as well as injecting additional headers into an HTTP response.

### Impact The filename that is given in [c.Attachment()](https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. ### Steps to reproduce ```go package main import "github.com/gofiber/fiber" const badFileName = "another secret document.pdf\"\r\nLocation: google.com\r\nAuthorization: \"example_of_session_fixation" func splitTheResponse(c *fiber.Ctx) { c.Attachment(badFileName) } func main() { app := fiber.New() app.Get("/attack", splitTheResponse) app.Listen("127.0.0.1:8080") } ``` ``` HTTP/1.1 200 OK Date: Fri, 10 Jul 2020 19:47:04 GMT Content-Type: application/octet-stream Content-Length: 0 Content-Disposition: attachment; filename="another secret document.pdf" Location: google.com Authorization: "example_of_session_fixation" ``` ### Patches This issue has been patched in `v1.12.6` with commit [579](https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f) escaping the filename by default. ### Workarounds You could of course serialize the input yourself before passing it to `ctx.Attachment()`, this is actually a good practice by default. But in case you forget, we got you covered 👍 ### References A CRLF injection attack is one of several types of injection attacks. It can be used to escalate to more malicious attacks such as Cross-site Scripting (XSS), page injection, web cache poisoning, cache-based defacement, and more. A CRLF injection vulnerability exists if an attacker can inject the CRLF characters into a web application, for example using a user input form or an HTTP request, [see acunetix](https://www.acunetix.com/websitesecurity/crlf-injection/) ### For more information If you have any questions or comments about this advisory: * Open an issue in [gofiber/fiber](https://github.com/gofiber/fiber) * Join us on [Discord](https://gofiber.io/discord)

### Impact This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. In it's implementation it uses c.IPs(): ```go // IPs returns a string slice of IP addresses specified in the X-Forwarded-For request header. // When IP validation is enabled, only valid IPs are returned. func (c *Ctx) IPs() []string { return c.extractIPsFromHeader(HeaderXForwardedFor) } ``` Thereby, setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) ### Patches This issue has been patched in `v2.49.2` with commit [b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc](https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc) ### Workarounds Currently, there are no known workarounds to remediate this vulnerability without upgrading to the patched version. We strongly advise users to apply the patch as soon as it is released. ### References For further information and context regarding this security issue, please refer to the following resources: - [Mozilla Developer Network - X-Forwarded-For](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For)

A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key. ## Impact The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. ## Patches The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. ## Workarounds Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: 1. **Validate Session IDs**: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server. 2. **Session Management**: Regularly rotate session IDs and enforce strict session expiration policies. ## References For more information on session best practices: - [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) Users are encouraged to review these references and take immediate action to secure their applications.