9.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.0%
Fiber is vulnerable to Permissive Cross-domain Policy with Untrusted Domains. The vulnerability is due to insecure configurations, specifically allowing the Access-Control-Allow-Origin header to be set to a wildcard (*
) while also setting Access-Control-Allow-Credentials to true, contrary to recommended security best practices. If the application uses session cookies or other authentication tokens, a malicious site could use the exposed credentials to hijack user sessions.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/gofiber/fiber | le | v2.52.0 | |
github.com/gofiber/fiber | le | v2.52.0 |
blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials
codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials/
developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
fetch.spec.whatwg.org/#cors-protocol-and-credentials
github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23
github.com/gofiber/fiber/releases/tag/v2.52.1
github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg
portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties
saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true
9.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
7.2 High
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
13.0%