Lucene search
K

44 matches found

Circl
Circl
added 2026/07/06 10:35 p.m.8 views

CVE-2026-53624

creationtimestamp| type| source ---|---|--- 2026-07-06 22:35:20+00:00| published-proof-of-concept| https://github.com/gofiber/fiber/security/advisories/GHSA-gv83-gqw6-9j2c...

4.8CVSS5.9AI score0.00207EPSS
Exploits0References1
OSV
OSV
added 2026/07/06 8:43 p.m.4 views

GHSA-GV83-GQW6-9J2C GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

4.8CVSS5.9AI score0.00207EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/06 8:43 p.m.6 views

GoFiber never set HSTS header in helmet middleware due to incorrect protocol check

Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol — which returns the HTTP protocol version string e.g., "HTTP/1.1", "HTTP/2.0" —...

4.8CVSS5.9AI score0.00207EPSS
Exploits0References2Affected Software1
Snyk
Snyk
added 2026/07/06 8:43 p.m.7 views

Cleartext Transmission of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Transmission of Sensitive Information due to the incorrect protocol check in the helmet middleware, which fails to set the Strict-Transport-Security header even when configured. An attacker can intercept and manipulate network...

6.3CVSS6AI score0.00207EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.7 views

PT-2026-56054

Name of the Vulnerable Software and Affected Versions Fiber versions prior to 3.4.0 Description The helmet middleware in the Fiber web framework fails to set the Strict-Transport-Security HSTS response header, even when HSTSMaxAge is configured. This occurs because the logic in...

4.8CVSS6AI score0.00207EPSS
Exploits0References7
OSV
OSV
added 2026/07/02 1:50 p.m.4 views

GHSA-GCFQ-8GQF-4876 GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward

Summary The BalancerForward proxy helper in GoFiber uses Header.Add instead of Header.Set when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header nginx,...

5.3CVSS5.7AI score0.00455EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/02 1:50 p.m.7 views

GoFiber Vulnerable to X-Real-IP Spoofing via Header.Add() in BalancerForward

Summary The BalancerForward proxy helper in GoFiber uses Header.Add instead of Header.Set when injecting the X-Real-IP header. This appends the real client IP as a second header value rather than replacing any attacker-supplied value. Upstream servers that read the first X-Real-IP header nginx,...

5.3CVSS5.7AI score0.00455EPSS
Exploits0References2Affected Software2
OSV
OSV
added 2026/07/02 1:46 p.m.4 views

GHSA-G5VH-55HW-RXM8 GoFiber Vulnerable to Username Enumeration via Timing Oracle in BasicAuth Default Authorizer

Summary The default Authorizer function in GoFiber's BasicAuth middleware uses short-circuit evaluation that skips password hash comparison for non-existent usernames. With bcrypt-hashed passwords the primary use case, the timing difference between a valid and invalid username is approximately...

5.3CVSS5.9AI score0.00516EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/07/02 1:46 p.m.9 views

GoFiber Vulnerable to Username Enumeration via Timing Oracle in BasicAuth Default Authorizer

Summary The default Authorizer function in GoFiber's BasicAuth middleware uses short-circuit evaluation that skips password hash comparison for non-existent usernames. With bcrypt-hashed passwords the primary use case, the timing difference between a valid and invalid username is approximately...

8.3CVSS7.2AI score0.00696EPSS
Exploits0References2Affected Software1
SUSE CVE
SUSE CVE
added 2026/03/04 12:26 a.m.3 views

SUSE CVE-2026-25899

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the fiberflash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack...

7.5CVSS5.8AI score0.00396EPSS
Exploits1References3
OSV
OSV
added 2026/02/26 4:27 p.m.8 views

GO-2026-4534 Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation in github.com/gofiber/fiber/v3

Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation in github.com/gofiber/fiber/v3...

7.5CVSS5.4AI score0.00396EPSS
Exploits1References2
OSV
OSV
added 2026/02/26 4:27 p.m.4 views

GO-2026-4543 Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber

Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber...

7.5CVSS5.4AI score0.00594EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/02/25 10:17 p.m.5 views

CVE-2026-25899

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the fiberflash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack...

7.5CVSS5.3AI score0.00396EPSS
Exploits1References1
Snyk
Snyk
added 2026/02/25 12:12 a.m.2 views

Improper Validation of Array Index

Overview github.com/gofiber/fiber/v2 is an Express inspired web framework written in Go. Affected versions of this package are vulnerable to Improper Validation of Array Index via the route registration process. An attacker can cause the application to crash by sending requests to routes containi...

8.7CVSS5.9AI score0.00594EPSS
Exploits1References2
NVD
NVD
added 2026/02/24 10:16 p.m.9 views

CVE-2026-25899

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the fiberflash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack...

7.5CVSS0.00396EPSS
Exploits1References2
Github Security Blog
Github Security Blog
added 2026/02/24 8:57 p.m.8 views

Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation

Summary The use of the fiberflash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardle...

7.5CVSS5.8AI score0.00396EPSS
Exploits1References5Affected Software1
OSV
OSV
added 2025/12/15 7:37 p.m.8 views

GO-2025-4208 Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values in github.com/gofiber/utils

Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values in github.com/gofiber/utils...

9.8CVSS6.8AI score0.00409EPSS
Exploits0References3
Snyk
Snyk
added 2025/12/08 5:57 p.m.6 views

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Overview Affected versions of this package are vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator PRNG due to the UUIDv4 and UUID functions silently returning predictable values, such as the zero UUID, when the cryptographic random number generator fails. An attacker can...

9.8CVSS7.7AI score0.00409EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-2308

Malicious code in bioql PyPI...

10CVSS6.5AI score0.00686EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2023-2407

Malicious code in bioql PyPI...

5.3CVSS5.5AI score0.00531EPSS
Exploits0References6
Rows per page
Query Builder