ghsa-qx2q-88mx-vhg7
Vulnerability from github
Description
When using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.
The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.
Steps to Reproduce
Create a POST request handler that accepts x-www-form-urlencoded data
```go package main
import ( "fmt" "net/http"
"github.com/gofiber/fiber/v2"
)
type RequestBody struct {
NestedContent []*struct{} form:"test"
}
func main() { app := fiber.New()
app.Post("/", func(c *fiber.Ctx) error {
formData := RequestBody{}
if err := c.BodyParser(&formData); err != nil {
fmt.Println(err)
return c.SendStatus(http.StatusUnprocessableEntity)
}
return nil
})
fmt.Println(app.Listen(":3000"))
}
```
Run the server and send a POST request with a large numeric key in form data, such as:
bash
curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \
-H 'Content-Type: application/x-www-form-urlencoded'
Relevant Code Snippet
Within the decoder's decode method:
go
idx := parts[0].index
if v.IsNil() || v.Len() < idx+1 {
value := reflect.MakeSlice(t, idx+1, idx+1) // <-- Panic/crash occurs here when idx is huge
if v.Len() < idx+1 {
reflect.Copy(value, v)
}
v.Set(value)
}
The idx is not validated before use, leading to unsafe slice allocation for extremely large values.
Impact
- Application panic or crash on malicious or malformed input.
- Potential denial of service (DoS) via memory exhaustion or server crash.
- Lack of defensive checks in the parsing code causes instability.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.52.8"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gofiber/fiber/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.52.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-54801"
],
"database_specific": {
"cwe_ids": [
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-05T15:22:21Z",
"nvd_published_at": "2025-08-06T00:15:31Z",
"severity": "HIGH"
},
"details": "### Description\n\nWhen using Fiber\u0027s `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.18446744073704`), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.\n\nThe root cause is that the decoder attempts to allocate a slice of length `idx + 1` without validating whether the index is within a safe or reasonable range. If `idx` is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.\n\n\n### Steps to Reproduce\n\nCreate a POST request handler that accepts `x-www-form-urlencoded` data\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/gofiber/fiber/v2\"\n)\n\ntype RequestBody struct {\n\tNestedContent []*struct{} `form:\"test\"`\n}\n\nfunc main() {\n\tapp := fiber.New()\n\n\tapp.Post(\"/\", func(c *fiber.Ctx) error {\n\t\tformData := RequestBody{}\n\t\tif err := c.BodyParser(\u0026formData); err != nil {\n\t\t\tfmt.Println(err)\n\t\t\treturn c.SendStatus(http.StatusUnprocessableEntity)\n\t\t}\n\t\treturn nil\n\t})\n\n\tfmt.Println(app.Listen(\":3000\"))\n}\n\n```\n\nRun the server and send a POST request with a large numeric key in form data, such as:\n\n```bash\ncurl -v -X POST localhost:3000 --data-raw \u0027test.18446744073704\u0027 \\\n -H \u0027Content-Type: application/x-www-form-urlencoded\u0027\n```\n\n\n### Relevant Code Snippet\n\nWithin the decoder\u0027s [decode method](https://github.com/gofiber/fiber/blob/v2.52.8/internal/schema/decoder.go#L249):\n\n```go\nidx := parts[0].index\nif v.IsNil() || v.Len() \u003c idx+1 {\n value := reflect.MakeSlice(t, idx+1, idx+1) // \u003c-- Panic/crash occurs here when idx is huge\n if v.Len() \u003c idx+1 {\n reflect.Copy(value, v)\n }\n v.Set(value)\n}\n```\n\nThe `idx` is not validated before use, leading to unsafe slice allocation for extremely large values.\n\n---\n\n### Impact\n\n- Application panic or crash on malicious or malformed input.\n- Potential denial of service (DoS) via memory exhaustion or server crash.\n- Lack of defensive checks in the parsing code causes instability.",
"id": "GHSA-qx2q-88mx-vhg7",
"modified": "2025-08-06T14:31:40Z",
"published": "2025-08-05T15:22:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54801"
},
{
"type": "WEB",
"url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
},
{
"type": "PACKAGE",
"url": "https://github.com/gofiber/fiber"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.