CVE-2025-54801
published 2025-08-06CVE-2025-54801: Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.33%
24.8th percentile
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gofiber_fiber_v2 | >= 0 < 2.52.9 | 2.52.9 |
| gofiber | fiber | < 2.52.9 | 2.52.9 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder in github.com/gofiber/fiber
osv·2025-08-11
CVE-2025-54801 Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder in github.com/gofiber/fiber
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder in github.com/gofiber/fiber
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder in github.com/gofiber/fiber
OSV
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
osv·2025-08-05
CVE-2025-54801 [HIGH] Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
### Description
When using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.18446744073704`), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.
The root cause is that the decoder attempts to allocate a slice of length `idx + 1` without validating whether the index is within a safe or reasonable range. If `idx` is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.
### Steps to Reproduce
Create a POST request handler that accepts `x-www-form-urlencoded` data
```go
package main
import (
"fmt"
"net/http"
"github.com/gofiber/fiber/v2"
)
type Req
GHSA
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
ghsa·2025-08-05
CVE-2025-54801 [HIGH] CWE-789 Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
### Description
When using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.18446744073704`), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.
The root cause is that the decoder attempts to allocate a slice of length `idx + 1` without validating whether the index is within a safe or reasonable range. If `idx` is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.
### Steps to Reproduce
Create a POST request handler that accepts `x-www-form-urlencoded` data
```go
package main
import (
"fmt"
"net/http"
"github.com/gofiber/fiber/v2"
)
type Req
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2025-54801 golang-github-deepmap-oapi-codegen: Fiber: Out-of-Bounds Slice Allocation Crash [fedora-42]
bugzilla·2025-08-06·CVSS 8.7
CVE-2025-54801 [HIGH] CVE-2025-54801 golang-github-deepmap-oapi-codegen: Fiber: Out-of-Bounds Slice Allocation Crash [fedora-42]
CVE-2025-54801 golang-github-deepmap-oapi-codegen: Fiber: Out-of-Bounds Slice Allocation Crash [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's polic
Bugzilla
CVE-2025-54801 golang-github-gofiber-fiber-2: Fiber: Out-of-Bounds Slice Allocation Crash [fedora-42]
bugzilla·2025-08-06·CVSS 8.7
CVE-2025-54801 [HIGH] CVE-2025-54801 golang-github-gofiber-fiber-2: Fiber: Out-of-Bounds Slice Allocation Crash [fedora-42]
CVE-2025-54801 golang-github-gofiber-fiber-2: Fiber: Out-of-Bounds Slice Allocation Crash [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
The following link provides references to all essential vulnerability management information. If something is wrong or missing, please contact a member of PSIRT.
https://spaces.redhat.com/display/PRODSEC/Vulnerability+Management+-+Essential+Documents+for+Engineering+Teams
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to
2025-08-06
Published