Vulnerabilites related to gofiber - fiber
Vulnerability from fkie_nvd
Published
2023-10-16 21:15
Modified
2024-11-21 08:26
Severity ?
10.0 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*",
"matchCriteriaId": "D4CF7CB2-A259-42A1-A42F-26170DCC266D",
"versionEndExcluding": "2.50.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability."
},
{
"lang": "es",
"value": "Fiber es un framework web inspirado en Express escrito en Go. Se ha identificado una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la aplicaci\u00f3n, que permite a un atacante inyectar valores arbitrarios y falsificar solicitudes maliciosas en nombre de un usuario. Esta vulnerabilidad puede permitir a un atacante inyectar valores arbitrarios sin ninguna autenticaci\u00f3n o realizar diversas acciones maliciosas en nombre de un usuario autenticado, comprometiendo potencialmente la seguridad y la integridad de la aplicaci\u00f3n. La vulnerabilidad se debe a una validaci\u00f3n y aplicaci\u00f3n inadecuadas de los tokens CSRF dentro de la aplicaci\u00f3n. Este problema se solucion\u00f3 en la versi\u00f3n 2.50.0 y se recomienda a los usuarios que actualicen. Los usuarios deben tomar medidas de seguridad adicionales como captchas o autenticaci\u00f3n de dos factores (2FA) y configurar cookies de sesi\u00f3n con SameSite=Lax o SameSite=Secure, y los atributos Secure y HttpOnly como medidas de defensa en profundidad. No se conocen workarounds para esta vulnerabilidad."
}
],
"id": "CVE-2023-45128",
"lastModified": "2024-11-21T08:26:23.870",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-16T21:15:11.137",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-352"
},
{
"lang": "en",
"value": "CWE-565"
},
{
"lang": "en",
"value": "CWE-807"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2025-05-22 18:15
Modified
2025-05-30 01:18
Severity ?
Summary
Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*",
"matchCriteriaId": "0F6C860D-F467-442C-968A-A1A95A3B20BE",
"versionEndExcluding": "2.52.7",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue."
},
{
"lang": "es",
"value": "Fiber es un framework web inspirado en Express y escrito en Go. A partir de la versi\u00f3n 2.52.6 y anteriores a la 2.52.7, `fiber.Ctx.BodyParser` puede asignar datos planos a segmentos anidados mediante la sintaxis `key[idx]value`. Sin embargo, cuando `idx` es negativo, genera un p\u00e1nico en lugar de devolver un error que indica que no puede procesar los datos. Dado que estos datos son proporcionados por el usuario, esto podr\u00eda provocar una denegaci\u00f3n de servicio para cualquiera que dependa de esta funcionalidad de `fiber.Ctx.BodyParser`. La versi\u00f3n 2.52.7 soluciona este problema."
}
],
"id": "CVE-2025-48075",
"lastModified": "2025-05-30T01:18:13.397",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-05-22T18:15:43.310",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory",
"Exploit"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Vendor Advisory",
"Exploit"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-129"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-02-21 21:15
Modified
2025-02-05 22:03
Severity ?
9.4 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*",
"matchCriteriaId": "FE99D46C-AA78-4C2D-B608-48B3FAAB2882",
"versionEndExcluding": "2.52.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this."
},
{
"lang": "es",
"value": "Fiber es un framework web escrito en go. Antes de la versi\u00f3n 2.52.1, el middleware CORS permit\u00eda configuraciones inseguras que podr\u00edan exponer la aplicaci\u00f3n a m\u00faltiples vulnerabilidades relacionadas con CORS. Espec\u00edficamente, permite establecer el encabezado Access-Control-Allow-Origin en un comod\u00edn (`*`) y al mismo tiempo tener Access-Control-Allow-Credentials establecido en verdadero, lo que va en contra de las mejores pr\u00e1cticas de seguridad recomendadas. El impacto de esta mala configuraci\u00f3n es alto, ya que puede conducir a un acceso no autorizado a datos confidenciales del usuario y exponer el sistema a varios tipos de ataques enumerados en el art\u00edculo de PortSwigger vinculado en las referencias. La versi\u00f3n 2.52.1 contiene un parche para este problema. Como workaround, los usuarios pueden validar manualmente las configuraciones de CORS en su implementaci\u00f3n para asegurarse de que no permitan un origen comod\u00edn cuando las credenciales est\u00e9n habilitadas. La API de recuperaci\u00f3n del navegador, as\u00ed como los navegadores y las utilidades que aplican las pol\u00edticas CORS, no se ven afectados por esto."
}
],
"id": "CVE-2024-25124",
"lastModified": "2025-02-05T22:03:51.013",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-02-21T21:15:09.250",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
},
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
},
{
"source": "security-advisories@github.com",
"tags": [
"Broken Link"
],
"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
},
{
"lang": "en",
"value": "CWE-942"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-16 21:15
Modified
2024-11-21 08:26
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p | Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p | Mitigation, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*",
"matchCriteriaId": "D4CF7CB2-A259-42A1-A42F-26170DCC266D",
"versionEndExcluding": "2.50.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user\u0027s behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes."
},
{
"lang": "es",
"value": "Fiber es un framework web inspirado en Express escrito en Go. Se ha identificado una vulnerabilidad de Cross-Site Request Forgery (CSRF) en la aplicaci\u00f3n, que permite a un atacante obtener tokens y falsificar solicitudes maliciosas en nombre de un usuario. Esto puede dar lugar a que se realicen acciones no autorizadas en nombre del usuario, lo que podr\u00eda comprometer la seguridad y la integridad de la aplicaci\u00f3n. La vulnerabilidad se debe a una validaci\u00f3n y aplicaci\u00f3n inadecuadas de los tokens CSRF dentro de la aplicaci\u00f3n. Esta vulnerabilidad se solucion\u00f3 en la versi\u00f3n 2.50.0 y se recomienda a los usuarios actualizarla. Los usuarios deben tomar medidas de seguridad adicionales como captchas o autenticaci\u00f3n de dos factores (2FA) y configurar cookies de sesi\u00f3n con SameSite=Lax o SameSite=Secure, y los atributos Secure y HttpOnly."
}
],
"id": "CVE-2023-45141",
"lastModified": "2024-11-21T08:26:25.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-16T21:15:11.237",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
},
{
"lang": "en",
"value": "CWE-565"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-09-08 19:15
Modified
2024-11-21 08:21
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC21F2CF-3B2C-4803-AF42-0377FB5CD6AD",
"versionEndExcluding": "2.49.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version. "
},
{
"lang": "es",
"value": "Fiber es un framework web inspirado en Express creado en el lenguaje Go. Las versiones de gofiber anteriores a la 2.49.2 no restring\u00edan adecuadamente el acceso a localhost. Este problema afecta a los usuarios de nuestro proyecto que dependen del m\u00e9todo `ctx.IsFromLocal` para restringir el acceso a las solicitudes de localhost. Si se explota, podr\u00eda permitir el acceso no autorizado a recursos destinados \u00fanicamente a localhost. Configurar `X-Forwarded-For: 127.0.0.1` en una solicitud de un host externo dar\u00e1 como resultado verdadero para `ctx.IsFromLocal`. El acceso est\u00e1 limitado al alcance del proceso afectado. Este problema se solucion\u00f3 en la versi\u00f3n `2.49.2` con el commit `b8c9ede6`. Se recomienda a los usuarios que actualicen. No se conocen soluciones para remediar esta vulnerabilidad sin actualizar a la versi\u00f3n parcheada."
}
],
"id": "CVE-2023-41338",
"lastModified": "2024-11-21T08:21:06.483",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-09-08T19:15:43.977",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Technical Description"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product"
],
"url": "https://docs.gofiber.io/api/ctx#isfromlocal"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Technical Description"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://docs.gofiber.io/api/ctx#isfromlocal"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-670"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-07-20 18:15
Modified
2024-11-21 05:04
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment().
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*",
"matchCriteriaId": "951C1396-5CA3-475A-8AA8-D007A63B0CBE",
"versionEndExcluding": "1.12.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment()."
},
{
"lang": "es",
"value": "En Fiber versiones anteriores a 1.12.6, el nombre de archivo que se proporciona en la funci\u00f3n c.Attachment() (https://docs.gofiber.io/ctx#attachment) no es escapado y, por lo tanto, es vulnerable a un ataque de inyecci\u00f3n CRLF. Es decir, un atacante podr\u00eda cargar un nombre de archivo personalizado y luego darle el enlace a la v\u00edctima. Con este nombre de archivo, el atacante puede cambiar el nombre del archivo descargado, redireccionar a otro sitio, cambiar el encabezado de autorizaci\u00f3n, etc. Una posible soluci\u00f3n es serializar la entrada antes de pasarla hacia la funci\u00f3n ctx.Attachment()"
}
],
"id": "CVE-2020-15111",
"lastModified": "2024-11-21T05:04:50.223",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-07-20T18:15:12.000",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
},
{
"lang": "en",
"value": "CWE-93"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2020-15111 (GCVE-0-2020-15111)
Vulnerability from cvelistv5
Published
2020-07-20 17:40
Modified
2024-08-04 13:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment().
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:08:21.646Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment()."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-07-20T17:40:14",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f"
}
],
"source": {
"advisory": "GHSA-9cx9-x2gp-9qvh",
"discovery": "UNKNOWN"
},
"title": "CRLF vulnerability in Fiber",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-15111",
"STATE": "PUBLIC",
"TITLE": "CRLF vulnerability in Fiber"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "fiber",
"version": {
"version_data": [
{
"version_value": "\u003c 1.12.6"
}
]
}
}
]
},
"vendor_name": "gofiber"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment()."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh",
"refsource": "CONFIRM",
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh"
},
{
"name": "https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f",
"refsource": "MISC",
"url": "https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f"
}
]
},
"source": {
"advisory": "GHSA-9cx9-x2gp-9qvh",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2020-15111",
"datePublished": "2020-07-20T17:40:14",
"dateReserved": "2020-06-25T00:00:00",
"dateUpdated": "2024-08-04T13:08:21.646Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-41338 (GCVE-0-2023-41338)
Vulnerability from cvelistv5
Published
2023-09-08 18:17
Modified
2024-09-26 14:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-670 - Always-Incorrect Control Flow Implementation
Summary
Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:01:34.692Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f"
},
{
"name": "https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For"
},
{
"name": "https://docs.gofiber.io/api/ctx#isfromlocal",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.gofiber.io/api/ctx#isfromlocal"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"lessThan": "2.49.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-41338",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T13:59:21.650864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T14:05:03.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 2.49.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-670",
"description": "CWE-670: Always-Incorrect Control Flow Implementation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-09-08T18:17:18.044Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-3q5p-3558-364f"
},
{
"name": "https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/commit/b8c9ede6efa231116c4bd8bb9d5e03eac1cb76dc"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For"
},
{
"name": "https://docs.gofiber.io/api/ctx#isfromlocal",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.gofiber.io/api/ctx#isfromlocal"
}
],
"source": {
"advisory": "GHSA-3q5p-3558-364f",
"discovery": "UNKNOWN"
},
"title": "Vulnerability in Ctx.IsFromLocal() in gofiber"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-41338",
"datePublished": "2023-09-08T18:17:18.044Z",
"dateReserved": "2023-08-28T16:56:43.368Z",
"dateUpdated": "2024-09-26T14:05:03.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45128 (GCVE-0-2023-45128)
Vulnerability from cvelistv5
Published
2023-10-16 20:45
Modified
2024-09-16 14:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:18.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
},
{
"name": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T14:23:34.651707Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T14:23:48.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 2.50.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807: Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T20:46:19.342Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-94w9-97p3-p368"
},
{
"name": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/commit/8c3916dbf4ad2ed427d02c6eb63ae8b2fa8f019a"
}
],
"source": {
"advisory": "GHSA-94w9-97p3-p368",
"discovery": "UNKNOWN"
},
"title": "CSRF Token Reuse Vulnerability in fiber"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45128",
"datePublished": "2023-10-16T20:45:07.068Z",
"dateReserved": "2023-10-04T16:02:46.327Z",
"dateUpdated": "2024-09-16T14:23:48.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54801 (GCVE-0-2025-54801)
Vulnerability from cvelistv5
Published
2025-08-05 23:33
Modified
2025-08-07 14:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-789 - Memory Allocation with Excessive Size Value
Summary
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54801",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-07T13:59:43.620645Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-07T14:00:09.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 2.52.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber\u0027s Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-05T23:33:28.221Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7"
},
{
"name": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
}
],
"source": {
"advisory": "GHSA-qx2q-88mx-vhg7",
"discovery": "UNKNOWN"
},
"title": "Fiber Susceptible to Crash via `BodyParser` Due to Unvalidated Large Slice Index in Decoder"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54801",
"datePublished": "2025-08-05T23:33:28.221Z",
"dateReserved": "2025-07-29T16:50:28.395Z",
"dateUpdated": "2025-08-07T14:00:09.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-45141 (GCVE-0-2023-45141)
Vulnerability from cvelistv5
Published
2023-10-16 20:48
Modified
2024-09-16 15:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:18.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*"
],
"defaultStatus": "unknown",
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"lessThan": "2.50.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-16T15:22:04.464336Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-16T15:53:51.368Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 2.50.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user\u0027s behalf, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This vulnerability has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-565",
"description": "CWE-565: Reliance on Cookies without Validation and Integrity Checking",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-16T20:48:55.590Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mv73-f69x-444p"
}
],
"source": {
"advisory": "GHSA-mv73-f69x-444p",
"discovery": "UNKNOWN"
},
"title": "CSRF Token Validation Vulnerability in fiber"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-45141",
"datePublished": "2023-10-16T20:48:55.590Z",
"dateReserved": "2023-10-04T16:02:46.329Z",
"dateUpdated": "2024-09-16T15:53:51.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-48075 (GCVE-0-2025-48075)
Vulnerability from cvelistv5
Published
2025-05-22 17:25
Modified
2025-05-22 17:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-129 - Improper Validation of Array Index
Summary
Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-48075",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-22T17:58:04.769002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:59:02.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.52.6, \u003c 2.52.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129: Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-22T17:25:18.447Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
},
{
"name": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
}
],
"source": {
"advisory": "GHSA-hg3g-gphw-5hhm",
"discovery": "UNKNOWN"
},
"title": "Fiber panics when fiber.Ctx.BodyParser parses invalid range index"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-48075",
"datePublished": "2025-05-22T17:25:18.447Z",
"dateReserved": "2025-05-15T16:06:40.942Z",
"dateUpdated": "2025-05-22T17:59:02.707Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38513 (GCVE-0-2024-38513)
Vulnerability from cvelistv5
Published
2024-07-01 18:31
Modified
2024-08-02 04:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-384 - Session Fixation
Summary
Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"lessThan": "2.52.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38513",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T20:26:43.929677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-02T20:31:39.546Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.224Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v"
},
{
"name": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 2.52.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber\u0027s session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384: Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T18:31:13.028Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-98j2-3j3p-fw2v"
},
{
"name": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/commit/66a881441b27322a331f1b526cf1eb6b3358a4d8"
}
],
"source": {
"advisory": "GHSA-98j2-3j3p-fw2v",
"discovery": "UNKNOWN"
},
"title": "Fiber Session Middleware Token Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38513",
"datePublished": "2024-07-01T18:31:13.028Z",
"dateReserved": "2024-06-18T16:37:02.727Z",
"dateUpdated": "2024-08-02T04:12:25.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-25124 (GCVE-0-2024-25124)
Vulnerability from cvelistv5
Published
2024-02-21 21:01
Modified
2024-08-26 14:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:36:21.623Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
},
{
"name": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
},
{
"name": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
},
{
"name": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
},
{
"name": "https://github.com/gofiber/fiber/releases/tag/v2.52.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
},
{
"name": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
},
{
"name": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:gofiber:fiber:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"lessThan": "2.52.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-25124",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-22T16:40:32.534976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T14:39:19.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fiber",
"vendor": "gofiber",
"versions": [
{
"status": "affected",
"version": "\u003c 2.52.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.4,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-21T21:01:44.672Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg"
},
{
"name": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23"
},
{
"name": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials"
},
{
"name": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials"
},
{
"name": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials",
"tags": [
"x_refsource_MISC"
],
"url": "https://fetch.spec.whatwg.org/#cors-protocol-and-credentials"
},
{
"name": "https://github.com/gofiber/fiber/releases/tag/v2.52.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.1"
},
{
"name": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true",
"tags": [
"x_refsource_MISC"
],
"url": "https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true"
},
{
"name": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html",
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html"
}
],
"source": {
"advisory": "GHSA-fmg4-x8pw-hjhg",
"discovery": "UNKNOWN"
},
"title": "Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-25124",
"datePublished": "2024-02-21T21:01:44.672Z",
"dateReserved": "2024-02-05T14:14:46.380Z",
"dateUpdated": "2024-08-26T14:39:19.825Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}