14 matches found
CVE-2023-41338
The CVE-2023-41338 issue affects gofiber (Fiber) prior to v2.49.2 where ctx.IsFromLocal() may return true for requests with X-Forwarded-For: 127.0.0.1, allowing access to localhost-scoped resources. Root cause: improper handling of the X-Forwarded-For header in the Ctx.IsFromLocal logic, enabling...
CVE-2025-48075
Summary: The CVE-2025-48075 entry concerns the GoFiber (fiber) web framework. Starting in versions 2.52.6 and earlier than 2.52.7, fiber.Ctx.BodyParser can map flat data to nested slices using key[idx]value syntax; if idx is negative, it panics instead of returning an error, potentially causing d...
CVE-2024-25124
CVE-2024-25124 affects the Go web framework Fiber. Before v2.52.1, the CORS middleware allowed configuring Access-Control-Allow-Origin to a wildcard "*" while Access-Control-Allow-Credentials was true, violating security best practices and enabling potential exposure of sensitive data to cross-si...
CVE-2023-45128
CVE-2023-45128 affects the Fiber (Go) web framework. The CSRF flaw stems from improper validation/enforcement of CSRF tokens, enabling forged requests without authentication and potentially impacting user actions and data. The issue is addressed in Fiber v2.50.0; upgrading to that version (or lat...
CVE-2025-54801
CVE-2025-54801 affects github.com/gofiber/fiber/v2 prior to 2.52.9. The BodyParser parses form data where a very large numeric key is treated as a slice index, causing an out-of-bounds/oversized slice allocation in the decoder. Root cause: the decoder allocates a slice of length idx+1 without val...
CVE-2024-38513
The CVE-2024-38513 issue affects the GoFiber (Fiber) session middleware in GoFiber versions prior to 2.52.5. The vulnerability allows a user to supply their own session_id value, which can cause a session to be created with that key. This can enable unauthorized access or session fixation if an a...
CVE-2023-45141
CVE-2023-45141 affects the Go framework fiber (Fiber). The CSRF token validation vulnerability arises from improper validation/enforcement of CSRF tokens, with tokens not tied to the original requester allowing token reuse and forged actions. Affected data paths include token handling in fiber/v2...
CVE-2020-15111
CVE-2020-15111 affects Fiber prior to 1.12.6. The filename passed to c.Attachment() is not escaped, enabling a CRLF injection when a user-supplied filename is used. This can allow an attacker to alter the downloaded filename, redirect to another site, or modify the HTTP headers (e.g., Authorizati...
CVE-2026-30246
Summary: CVE-2026-30246 affects the Go web framework Fiber (github.com/gofiber/fiber/v3) middleware/cache. The default KeyGenerator uses only the request path, omitting the query string, so requests with different query parameters can map to the same cache key, causing cross-request data mix-ups ...
CVE-2026-42554
CVE-2026-42554 describes an XSS in Fiber’s AutoFormat content negotiation. Affected: GoFiber/v3 up to 3.1.0 and GoFiber/v2 up to 2.52.12. Root cause: the html branch of AutoFormat can emit raw, attacker-influenced data wrapped in HTML when the client sends Accept: text/html, enabling injection of...
CVE-2026-25899
CVE-2026-25899 affects GoFiber (Fiber) v3 branch prior to 3.1.0. The issue arises from the use of the fiber_flash cookie, which can trigger unbounded memory allocation (up to ~85 GB) via unvalidated MsgPack deserialization. A crafted 10-character cookie causes the allocation, with no authenticati...
CVE-2026-25891
This CVE affects the Go web framework Fiber (v3 up to 3.0.0) and allows a remote attacker to perform a path traversal to bypass the static middleware sanitizer and read arbitrary files on Windows. Root cause: improper validation in static middleware enabling directory traversal (CWE-22). Impact: ...
CVE-2026-25882
Fiber (Go) has a Denial of Service vulnerability (CVE-2026-25882) affecting v2 and v3: routing mismatch with more than 30 parameters can crash the app due to missing validation during route registration and an unbounded array write during request matching. Affected versions are v2 prior to 2.52.1...
CVE-2025-66630
Fiber is a Go web framework. Before 2.52.11 and on Go