cbcvebase.

Gofiber Fiber vulnerabilities

14 known vulnerabilities affecting gofiber/fiber.

Total CVEs
14
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH7MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2025-66630P3CRITICALCVSS 9.4fixed in 2.52.112026-02-09
CVE-2025-66630 [CRITICAL] CWE-338 CVE-2025-66630: Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1. Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy id
nvd
CVE-2024-38513P3CRITICALCVSS 9.8fixed in 2.52.52024-07-01
CVE-2024-38513 [CRITICAL] CWE-384 CVE-2024-38513: Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior t Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session
nvd
CVE-2024-25124P3CRITICALCVSS 9.8fixed in 2.52.12024-02-21
CVE-2024-25124 [CRITICAL] CWE-346 CVE-2024-25124: Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for inse Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credent
nvd
CVE-2026-25891P3HIGHCVSS 7.5≥ 3.0.0, < 3.1.0v>= 3.0.0, < 3.1.02026-02-24
CVE-2026-25891 [HIGH] CWE-22 CVE-2026-25891: Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.
nvd
CVE-2023-45128P3HIGHCVSS 8.8fixed in 2.50.02023-10-16
CVE-2023-45128 [HIGH] CWE-20 CVE-2023-45128: Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulner Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perfo
nvd
CVE-2026-25882P3HIGHCVSS 7.5≥ 2.0.0, < 2.52.12≥ 3.0.0, < 3.1.0+2 more2026-02-24
CVE-2026-25882 [HIGH] CWE-129 CVE-2026-25882: Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists i Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during
nvd
CVE-2026-25899P3HIGHCVSS 7.5≥ 3.0.0, < 3.1.0v>= 3.0.0, < 3.1.02026-02-24
CVE-2026-25899 [HIGH] CWE-789 CVE-2026-25899: Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1. Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Ever
nvd
CVE-2023-45141P3HIGHCVSS 8.8fixed in 2.50.02023-10-16
CVE-2023-45141 [HIGH] CWE-352 CVE-2023-45141: Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulner Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and
nvd
CVE-2025-54801P3HIGHCVSS 7.5fixed in 2.52.92025-08-06
CVE-2025-54801 [HIGH] CWE-789 CVE-2025-54801: Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using F Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that
nvd
CVE-2025-48075P3HIGHCVSS 7.5≥ 2.0.0, < 2.52.7v>= 2.52.6, < 2.52.72025-05-22
CVE-2025-48075 [HIGH] CWE-129 CVE-2025-48075: Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to ve Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this co
nvd
CVE-2026-30246P3MEDIUMCVSS 6.5≤ 3.1.0v>= v3.0.0-beta.2, < 3.1.02026-05-05
CVE-2026-30246 [MEDIUM] CWE-436 CVE-2026-30246: Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause
nvd
CVE-2023-41338P4MEDIUMCVSS 5.3fixed in 2.49.22023-09-08
CVE-2023-41338 [MEDIUM] CWE-670 CVE-2023-41338: Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2. Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only
nvd
CVE-2026-42554P4MEDIUMCVSS 6.1fixed in 2.52.12≥ 3.0.0, < 3.1.0+2 more2026-05-11
CVE-2026-42554 [MEDIUM] CWE-79 CVE-2026-42554: Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in G Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. The developer opts into content negotiation by calling AutoFor
nvd
CVE-2020-15111P4MEDIUMCVSS 5.4fixed in 1.12.62020-07-20
CVE-2020-15111 [MEDIUM] CWE-74 CVE-2020-15111: In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.i In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, r
nvd
Gofiber Fiber vulnerabilities | cvebase