Go modules package
github.com/gofiber/fiber/v2
pkg:golang/github.com/gofiber/fiber/v2
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42554 | Med | 6.1 | < 2.52.13 | 2.52.13 | May 11, 2026 | Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() | |
| CVE-2026-25882 | — | < 2.52.12 | 2.52.12 | Feb 24, 2026 | Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validatio | ||
| CVE-2025-66630 | — | < 2.52.11 | 2.52.11 | Feb 9, 2026 | Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application | ||
| CVE-2025-54801 | — | < 2.52.9 | 2.52.9 | Aug 5, 2025 | Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds s | ||
| CVE-2025-48075 | — | >= 2.52.6, < 2.52.7 | 2.52.7 | May 22, 2025 | Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stat | ||
| CVE-2024-38513 | — | < 2.52.5 | 2.52.5 | Jul 1, 2024 | Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session | ||
| CVE-2024-25124 | — | < 2.52.1 | 2.52.1 | Feb 21, 2024 | Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header t | ||
| CVE-2023-45141 | — | < 2.50.0 | 2.50.0 | Oct 16, 2023 | Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions be | ||
| CVE-2023-45128 | — | < 2.50.0 | 2.50.0 | Oct 16, 2023 | Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow a | ||
| CVE-2023-41338 | — | < 2.49.2 | 2.49.2 | Sep 8, 2023 | Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If ex | ||
| CVE-2018-20744 | — | >= 2.0.0, < 2.43.0 | 2.43.0 | Jan 28, 2019 | The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems. |
- affected < 2.52.13fixed 2.52.13
Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat()
- CVE-2026-25882Feb 24, 2026affected < 2.52.12fixed 2.52.12
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validatio
- CVE-2025-66630Feb 9, 2026affected < 2.52.11fixed 2.52.11
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application
- CVE-2025-54801Aug 5, 2025affected < 2.52.9fixed 2.52.9
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds s
- CVE-2025-48075May 22, 2025affected >= 2.52.6, < 2.52.7fixed 2.52.7
Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stat
- CVE-2024-38513Jul 1, 2024affected < 2.52.5fixed 2.52.5
Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session
- CVE-2024-25124Feb 21, 2024affected < 2.52.1fixed 2.52.1
Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header t
- CVE-2023-45141Oct 16, 2023affected < 2.50.0fixed 2.50.0
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions be
- CVE-2023-45128Oct 16, 2023affected < 2.50.0fixed 2.50.0
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow a
- CVE-2023-41338Sep 8, 2023affected < 2.49.2fixed 2.49.2
Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If ex
- CVE-2018-20744Jan 28, 2019affected >= 2.0.0, < 2.43.0fixed 2.43.0
The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header value, which is incompatible with the CORS security design, and could lead to CORS misconfiguration security problems.