Github.Com Gofiber Fiber V2 vulnerabilities
11 known vulnerabilities affecting github.com/gofiber_fiber_v2.
Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH3MEDIUM4
Vulnerabilities
Page 1 of 1
CVE-2025-66630P3CRITICAL≥ 0, < 2.52.112026-02-09
CVE-2025-66630 [CRITICAL] CWE-338 Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
Fiber v2 contains an internal vendored copy of `gofiber/utils`, and its functions `UUIDv4()` and `UUID()` inherit the same critical weakness described in the upstream advisory. On **Go versions prior to 1.24**, the underlying `crypto/rand`
ghsaosv
CVE-2024-38513P3CRITICAL≥ 0, < 2.52.52024-07-01
CVE-2024-38513 [CRITICAL] CWE-384 Session Middleware Token Injection Vulnerability
Session Middleware Token Injection Vulnerability
A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.
## Impact
The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in
ghsaosv
CVE-2024-25124P3CRITICAL≥ 0, < 2.52.12024-02-22
CVE-2024-25124 [CRITICAL] CWE-346 Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, w
ghsaosv
CVE-2023-45128P3CRITICAL≥ 0, < 2.50.02023-10-17
CVE-2023-45128 [CRITICAL] CWE-20 CSRF Token Reuse Vulnerability
CSRF Token Reuse Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and i
ghsaosv
CVE-2026-25882P3MEDIUM≥ 0, < 2.52.122026-02-24
CVE-2026-25882 [MEDIUM] CWE-129 Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.
## Aff
ghsaosv
CVE-2023-45141P3HIGH≥ 0, < 2.50.02023-10-17
CVE-2023-45141 [HIGH] CWE-352 Go Fiber CSRF Token Validation Vulnerability
Go Fiber CSRF Token Validation Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.
## Vulnerability Details
The vulnerability is cause
ghsaosv
CVE-2025-54801P3HIGH≥ 0, < 2.52.92025-08-05
CVE-2025-54801 [HIGH] CWE-789 Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
### Description
When using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.18446744073704`), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.
The root cause is that the decoder attempts to alloca
ghsaosv
CVE-2025-48075P3HIGH≥ 2.52.6, < 2.52.72025-05-22
CVE-2025-48075 [HIGH] CWE-129 Fiber panics when fiber.Ctx.BodyParser parses invalid range index
Fiber panics when fiber.Ctx.BodyParser parses invalid range index
### Summary
When using the `fiber.Ctx.BodyParser` to parse into a struct with range values, a panic occurs when trying to parse a negative range index
### Details
`fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, however when idx is negative, it causes a panic instead of returning an error stating
ghsaosv
CVE-2023-41338P4MEDIUM≥ 0, < 2.49.22023-09-08
CVE-2023-41338 [MEDIUM] CWE-670 Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`
Fiber unauthorized access vulnerability in `ctx.IsFromLocal()`
### Impact
This vulnerability can be categorized as a security misconfiguration. It impacts users of our project who rely on the [ctx.IsFromLocal()](https://docs.gofiber.io/api/ctx#isfromlocal) method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost.
In it'
ghsaosv
CVE-2018-20744P4MEDIUM≥ 2.0.0, < 2.43.02022-05-14
CVE-2018-20744 [MEDIUM] CWE-346 github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
github.com/gofiber/fiber/v2 vulnerable to Origin Validation Error
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.
ghsaosv
CVE-2026-42554P4MEDIUM≥ 0, < 2.52.132026-05-05
CVE-2026-42554 [MEDIUM] CWE-79 Fiber vulnerable to XSS in AutoFormat Content Negotiation
Fiber vulnerable to XSS in AutoFormat Content Negotiation
## Summary
**Description**
A Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying `Accept: text/html` on any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affects `github.com/gofiber/fiber/v3` (`DefaultRes.AutoFormat`) through vers
ghsa