CVE-2026-25882
published 2026-02-24CVE-2026-25882: Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.59%
44.0th percentile
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gofiber_fiber_v2 | >= 0 < 2.52.12 | 2.52.12 |
| github.com | gofiber_fiber_v3 | >= 0 < 3.1.0 | 3.1.0 |
| gofiber | fiber | — | — |
| gofiber | fiber | — | — |
| gofiber | fiber | >= 2.0.0 < 2.52.12 | 2.52.12 |
| gofiber | fiber | >= 3.0.0 < 3.1.0 | 3.1.0 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber
osv·2026-02-26
CVE-2026-25882 Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber
GHSA
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
ghsa·2026-02-24
CVE-2026-25882 [MEDIUM] CWE-129 Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.
## Affected Versions
- **Fiber v3.0.0-rc.3** and earlier v3 releases
- **Fiber v2.52.10** and potentially all v2 releases (confirmed exploitable)
- Both versions share the same vulnerable routing implementation
## Vulnerability Details
### Root Cause
Both Fiber v2 and v3 define a fixed-size parameter array in `ctx.go`:
```go
const maxParams = 30
type DefaultCtx struct {
values [maxParams]string // Fixe
OSV
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
osv·2026-02-24
CVE-2026-25882 [MEDIUM] Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.
## Affected Versions
- **Fiber v3.0.0-rc.3** and earlier v3 releases
- **Fiber v2.52.10** and potentially all v2 releases (confirmed exploitable)
- Both versions share the same vulnerable routing implementation
## Vulnerability Details
### Root Cause
Both Fiber v2 and v3 define a fixed-size parameter array in `ctx.go`:
```go
const maxParams = 30
type DefaultCtx struct {
values [maxParams]string // Fixe
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-25882 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-25882 [MEDIUM] CVE-2026-25882 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25882 :
Wolfi vulnerability analysis and mitigation
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.
Source : NVD
## 5.5
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
Wolfi
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percen
Bugzilla
CVE-2026-25882 golang-github-gofiber-fiber-2: Fiber: Denial of Service via excessive route parameters [fedora-42]
bugzilla·2026-02-24·CVSS 5.5
CVE-2026-25882 [MEDIUM] CVE-2026-25882 golang-github-gofiber-fiber-2: Fiber: Denial of Service via excessive route parameters [fedora-42]
CVE-2026-25882 golang-github-gofiber-fiber-2: Fiber: Denial of Service via excessive route parameters [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently mai
Bugzilla
CVE-2026-25882 golang-github-deepmap-oapi-codegen: Fiber: Denial of Service via excessive route parameters [fedora-42]
bugzilla·2026-02-24·CVSS 5.5
CVE-2026-25882 [MEDIUM] CVE-2026-25882 golang-github-deepmap-oapi-codegen: Fiber: Denial of Service via excessive route parameters [fedora-42]
CVE-2026-25882 golang-github-deepmap-oapi-codegen: Fiber: Denial of Service via excessive route parameters [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currentl
2026-02-24
Published