Lucene search
K
GofiberFiber

14 matches found

CVE
CVE
added 2023/09/08 6:17 p.m.2498 views

CVE-2023-41338

The CVE-2023-41338 issue affects gofiber (Fiber) prior to v2.49.2 where ctx.IsFromLocal() may return true for requests with X-Forwarded-For: 127.0.0.1, allowing access to localhost-scoped resources. Root cause: improper handling of the X-Forwarded-For header in the Ctx.IsFromLocal logic, enabling...

5.3CVSS5.1AI score0.00531EPSS
CVE
CVE
added 2025/05/22 5:25 p.m.194 views

CVE-2025-48075

Summary: The CVE-2025-48075 entry concerns the GoFiber (fiber) web framework. Starting in versions 2.52.6 and earlier than 2.52.7, fiber.Ctx.BodyParser can map flat data to nested slices using key[idx]value syntax; if idx is negative, it panics instead of returning an error, potentially causing d...

8.7CVSS6.5AI score0.0044EPSS
CVE
CVE
added 2024/02/21 9:1 p.m.102 views

CVE-2024-25124

CVE-2024-25124 affects the Go web framework Fiber. Before v2.52.1, the CORS middleware allowed configuring Access-Control-Allow-Origin to a wildcard "*" while Access-Control-Allow-Credentials was true, violating security best practices and enabling potential exposure of sensitive data to cross-si...

9.8CVSS9.2AI score0.0066EPSS
CVE
CVE
added 2023/10/16 8:45 p.m.99 views

CVE-2023-45128

CVE-2023-45128 affects the Fiber (Go) web framework. The CSRF flaw stems from improper validation/enforcement of CSRF tokens, enabling forged requests without authentication and potentially impacting user actions and data. The issue is addressed in Fiber v2.50.0; upgrading to that version (or lat...

10CVSS9.4AI score0.00313EPSS
CVE
CVE
added 2025/08/05 11:33 p.m.84 views

CVE-2025-54801

CVE-2025-54801 affects github.com/gofiber/fiber/v2 prior to 2.52.9. The BodyParser parses form data where a very large numeric key is treated as a slice index, causing an out-of-bounds/oversized slice allocation in the decoder. Root cause: the decoder allocates a slice of length idx+1 without val...

8.7CVSS6.5AI score0.00355EPSS
CVE
CVE
added 2024/07/01 6:31 p.m.78 views

CVE-2024-38513

The CVE-2024-38513 issue affects the GoFiber (Fiber) session middleware in GoFiber versions prior to 2.52.5. The vulnerability allows a user to supply their own session_id value, which can cause a session to be created with that key. This can enable unauthorized access or session fixation if an a...

10CVSS9.4AI score0.00686EPSS
CVE
CVE
added 2023/10/16 8:48 p.m.76 views

CVE-2023-45141

CVE-2023-45141 affects the Go framework fiber (Fiber). The CSRF token validation vulnerability arises from improper validation/enforcement of CSRF tokens, with tokens not tied to the original requester allowing token reuse and forged actions. Affected data paths include token handling in fiber/v2...

8.8CVSS8.8AI score0.00265EPSS
CVE
CVE
added 2020/07/20 5:40 p.m.75 views

CVE-2020-15111

CVE-2020-15111 affects Fiber prior to 1.12.6. The filename passed to c.Attachment() is not escaped, enabling a CRLF injection when a user-supplied filename is used. This can allow an attacker to alter the downloaded filename, redirect to another site, or modify the HTTP headers (e.g., Authorizati...

5.8CVSS4.9AI score0.00861EPSS
CVE
CVE
added 2026/05/05 12:40 p.m.36 views

CVE-2026-30246

Summary: CVE-2026-30246 affects the Go web framework Fiber (github.com/gofiber/fiber/v3) middleware/cache. The default KeyGenerator uses only the request path, omitting the query string, so requests with different query parameters can map to the same cache key, causing cross-request data mix-ups ...

6.5CVSS5.8AI score0.00251EPSS
CVE
CVE
added 2026/05/11 9:47 p.m.25 views

CVE-2026-42554

CVE-2026-42554 describes an XSS in Fiber’s AutoFormat content negotiation. Affected: GoFiber/v3 up to 3.1.0 and GoFiber/v2 up to 2.52.12. Root cause: the html branch of AutoFormat can emit raw, attacker-influenced data wrapped in HTML when the client sends Accept: text/html, enabling injection of...

6.1CVSS6AI score0.00212EPSS
CVE
CVE
added 2026/02/24 9:11 p.m.24 views

CVE-2026-25899

CVE-2026-25899 affects GoFiber (Fiber) v3 branch prior to 3.1.0. The issue arises from the use of the fiber_flash cookie, which can trigger unbounded memory allocation (up to ~85 GB) via unvalidated MsgPack deserialization. A crafted 10-character cookie causes the allocation, with no authenticati...

7.5CVSS5.3AI score0.00396EPSS
CVE
CVE
added 2026/02/24 9:8 p.m.18 views

CVE-2026-25891

This CVE affects the Go web framework Fiber (v3 up to 3.0.0) and allows a remote attacker to perform a path traversal to bypass the static middleware sanitizer and read arbitrary files on Windows. Root cause: improper validation in static middleware enabling directory traversal (CWE-22). Impact: ...

8.7CVSS5.7AI score0.00618EPSS
CVE
CVE
added 2026/02/24 9:5 p.m.13 views

CVE-2026-25882

Fiber (Go) has a Denial of Service vulnerability (CVE-2026-25882) affecting v2 and v3: routing mismatch with more than 30 parameters can crash the app due to missing validation during route registration and an unbounded array write during request matching. Affected versions are v2 prior to 2.52.1...

7.5CVSS5.6AI score0.00594EPSS
CVE
CVE
added 2026/02/09 6:4 p.m.10 views

CVE-2025-66630

Fiber is a Go web framework. Before 2.52.11 and on Go

9.4CVSS5.6AI score0.00471EPSS