cbcvebase.
CVE-2023-41338
published 2023-09-08

CVE-2023-41338: Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This…

PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.53%
40.8th percentile
Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version.

Affected

4 ranges
VendorProductVersion rangeFixed in
github.comgofiber_fiber0 – 1.14.6
github.comgofiber_fiber_v2>= 0 < 2.49.2-0.20230906112033-b8c9ede6efa22.49.2-0.20230906112033-b8c9ede6efa2
github.comgofiber_fiber_v2>= 0 < 2.49.22.49.2
gofiberfiber< 2.49.22.49.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.