Fiber Susceptible to Crash via `BodyParser` Due to Unvalidated Large Slice Index in Decoder
Description
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gofiber/fiber/v2Go | < 2.52.9 | 2.52.9 |
Affected products
1Patches
12 files changed · +39 −1
ctx_test.go+25 −0 modified@@ -654,6 +654,31 @@ func Test_Ctx_BodyParser(t *testing.T) { }) } +func Test_Ctx_BodyParser_InvalidRequestData(t *testing.T) { + t.Parallel() + + type RequestBody struct { + NestedContent []*struct { + Value string `form:"value"` + } `form:"nested-content"` + } + app := New() + c := app.AcquireCtx(&fasthttp.RequestCtx{}) + defer app.ReleaseCtx(c) + + c.Request().Reset() + c.Request().Header.SetContentType(MIMEApplicationForm) + // Test with invalid form data + c.Request().SetBody([]byte("nested-content[-1].value=Foo&nested-content[0].value=Bar&nested-content[1].value=FooBar")) + c.Request().Header.SetContentLength(len(c.Body())) + + subject := new(RequestBody) + err := c.BodyParser(subject) + + utils.AssertEqual(t, true, nil != err) + utils.AssertEqual(t, "failed to decode: schema: panic while decoding: reflect: slice index out of range", fmt.Sprintf("%v", err)) +} + func Test_Ctx_ParamParser(t *testing.T) { t.Parallel() app := New()
internal/schema/decoder.go+14 −1 modified@@ -67,11 +67,24 @@ func (d *Decoder) RegisterConverter(value interface{}, converterFunc Converter) // Keys are "paths" in dotted notation to the struct fields and nested structs. // // See the package documentation for a full explanation of the mechanics. -func (d *Decoder) Decode(dst interface{}, src map[string][]string) error { +func (d *Decoder) Decode(dst interface{}, src map[string][]string) (err error) { v := reflect.ValueOf(dst) if v.Kind() != reflect.Ptr || v.Elem().Kind() != reflect.Struct { return errors.New("schema: interface must be a pointer to struct") } + + // Catch panics from the decoder and return them as an error. + // This is needed because the decoder calls reflect and reflect panics + defer func() { + if r := recover(); r != nil { + if e, ok := r.(error); ok { + err = e + } else { + err = fmt.Errorf("schema: panic while decoding: %v", r) + } + } + }() + v = v.Elem() t := v.Type() multiError := MultiError{}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-qx2q-88mx-vhg7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54801ghsaADVISORY
- github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853dghsax_refsource_MISCWEB
- github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.