Github.Com Gofiber Fiber V3 vulnerabilities
5 known vulnerabilities affecting github.com/gofiber_fiber_v3.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM3
Vulnerabilities
Page 1 of 1
CVE-2026-25891P3HIGH≥ 0, < 3.1.02026-02-24
CVE-2026-25891 [HIGH] CWE-22 Fiber has an Arbitrary File Read in Static Middleware on Windows
Fiber has an Arbitrary File Read in Static Middleware on Windows
### Summary
**Description**
A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.
### Details
The vulnerability resides
ghsaosv
CVE-2026-25882P3MEDIUM≥ 0, < 3.1.02026-02-24
CVE-2026-25882 [MEDIUM] CWE-129 Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.
## Aff
ghsaosv
CVE-2026-25899P3HIGH≥ 0, < 3.1.02026-02-24
CVE-2026-25899 [HIGH] CWE-770 Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation
Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation
### Summary
The use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of w
ghsaosv
CVE-2026-30246P3MEDIUM≥ 0, < 3.2.02026-04-28
CVE-2026-30246 [MEDIUM] CWE-200 Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
### Summary
Fiber cache middleware's default key generator uses only `c.Path()` and does not include the query string.
As a result, requests like `/?id=1` and `/?id=2` can map to the same cache key and share the sam
ghsa
CVE-2026-42554P4MEDIUM≥ 0, < 3.2.02026-05-05
CVE-2026-42554 [MEDIUM] CWE-79 Fiber vulnerable to XSS in AutoFormat Content Negotiation
Fiber vulnerable to XSS in AutoFormat Content Negotiation
## Summary
**Description**
A Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying `Accept: text/html` on any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affects `github.com/gofiber/fiber/v3` (`DefaultRes.AutoFormat`) through vers
ghsa