CVE-2026-25882

Medium CVSS: 5.5

Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.

Vendor

Gofiber

Product

Fiber

CWE

CWE-129

Yayın Tarihi

2026-02-24 21:16:29

Güncelleme

2026-02-27 03:18:05

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-129 Fiber MEDIUM Gofiber 2026

Referanslar

https://github.com/gofiber/fiber/blob/main/path.go#L514 https://github.com/gofiber/fiber/blob/v2/path.go#L516 https://github.com/gofiber/fiber/pull/3962 https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3

Benzer Kayıtlar

High

CVE-2026-25891

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remo…

High

CVE-2026-25899

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `f…

Critical

CVE-2025-66630

Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying c…

Critical

CVE-2025-66565

Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's c…

High

CVE-2025-54801

Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParse…

High

CVE-2025-48075

Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber…