High severityNVD Advisory· Published May 22, 2025· Updated May 22, 2025
Fiber panics when fiber.Ctx.BodyParser parses invalid range index
CVE-2025-48075
Description
Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, fiber.Ctx.BodyParser can map flat data to nested slices using key[idx]value syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this fiber.Ctx.BodyParser functionality. Version 2.52.7 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gofiber/fiber/v2Go | >= 2.52.6, < 2.52.7 | 2.52.7 |
Affected products
1Patches
12 files changed · +39 −1
ctx_test.go+25 −0 modified@@ -654,6 +654,31 @@ func Test_Ctx_BodyParser(t *testing.T) { }) } +func Test_Ctx_BodyParser_InvalidRequestData(t *testing.T) { + t.Parallel() + + type RequestBody struct { + NestedContent []*struct { + Value string `form:"value"` + } `form:"nested-content"` + } + app := New() + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + + c.Request().Reset() + c.Request().Header.SetContentType(MIMEApplicationForm) + // Test with invalid form data + c.Request().SetBody([]byte("nested-content[-1].value=Foo&nested-content[0].value=Bar&nested-content[1].value=FooBar")) + c.Request().Header.SetContentLength(len(c.Body())) + + subject := new(RequestBody) + err := c.BodyParser(subject) + + utils.AssertEqual(t, true, nil != err) + utils.AssertEqual(t, "failed to decode: schema: panic while decoding: reflect: slice index out of range", fmt.Sprintf("%v", err)) +} + func Test_Ctx_ParamParser(t *testing.T) { t.Parallel() app := New()
internal/schema/decoder.go+14 −1 modified@@ -67,11 +67,24 @@ func (d *Decoder) RegisterConverter(value interface{}, converterFunc Converter) // Keys are "paths" in dotted notation to the struct fields and nested structs. // // See the package documentation for a full explanation of the mechanics. -func (d *Decoder) Decode(dst interface{}, src map[string][]string) error { +func (d *Decoder) Decode(dst interface{}, src map[string][]string) (err error) { v := reflect.ValueOf(dst) if v.Kind() != reflect.Ptr || v.Elem().Kind() != reflect.Struct { return errors.New("schema: interface must be a pointer to struct") } + + // Catch panics from the decoder and return them as an error. + // This is needed because the decoder calls reflect and reflect panics + defer func() { + if r := recover(); r != nil { + if e, ok := r.(error); ok { + err = e + } else { + err = fmt.Errorf("schema: panic while decoding: %v", r) + } + } + }() + v = v.Elem() t := v.Type() multiError := MultiError{}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hg3g-gphw-5hhmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-48075ghsaADVISORY
- github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853dghsax_refsource_MISCWEB
- github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhmghsax_refsource_CONFIRMWEB
- pkg.go.dev/vuln/GO-2025-3706ghsaWEB
News mentions
0No linked articles in our index yet.