chore(deps): update module github.com/gofiber/fiber/v2 to v2.52.7 [security]
This MR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| github.com/gofiber/fiber/v2 | require | patch |
v2.52.6 -> v2.52.7
|
Fiber panics when fiber.Ctx.BodyParser parses invalid range index
CVE-2025-48075 / GHSA-hg3g-gphw-5hhm / GO-2025-3706
More information
Details
Summary
When using the fiber.Ctx.BodyParser to parse into a struct with range values, a panic occurs when trying to parse a negative range index
Details
fiber.Ctx.BodyParser can map flat data to nested slices using key[idx]value syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data.
Since this data is user-provided, this could lead to denial of service for anyone relying on this fiber.Ctx.BodyParser functionality
Reproducing
Take a simple GoFiberV2 server which returns a JSON encoded version of the FormData
package main
import (
"encoding/json"
"fmt"
"net/http"
"github.com/gofiber/fiber/v2"
)
type RequestBody struct {
NestedContent []*struct {
Value string `form:"value"`
} `form:"nested-content"`
}
func main() {
app := fiber.New()
app.Post("/", func(c *fiber.Ctx) error {
formData := RequestBody{}
if err := c.BodyParser(&formData); err != nil {
fmt.Println(err)
return c.SendStatus(http.StatusUnprocessableEntity)
}
c.Set("Content-Type", "application/json")
s, _ := json.Marshal(formData)
return c.SendString(string(s))
})
fmt.Println(app.Listen(":3000"))
}
Correct Behaviour Send a valid request such as:
curl --location 'localhost:3000' \
--form 'nested-content[0].value="Foo"' \
--form 'nested-content[1].value="Bar"'You recieve valid JSON
{"NestedContent":[{"Value":"Foo"},{"Value":"Bar"}]}Crashing behaviour Send an invalid request such as:
curl --location 'localhost:3000' \
--form 'nested-content[-1].value="Foo"'The server panics and crashes
panic: reflect: slice index out of range
goroutine 8 [running]:
reflect.Value.Index({0x738000?, 0xc000010858?, 0x0?}, 0x738000?)
/usr/lib/go-1.24/src/reflect/value.go:1418 +0x167
github.com/gofiber/fiber/v2/internal/schema.(*Decoder).decode(0xc00002c570, {0x75d420?, 0xc000010858?, 0x7ff424822108?}, {0xc00001c498, 0x17}, {0xc00014e2d0, 0x2, 0x2}, {0xc00002c710, ...})
[...]Impact
Anyone using fiber.Ctx.BodyParser can/will have their servers crashed when an invalid payload is sent
Severity
- CVSS Score: Unknown
- Vector String:
CVSS:4.0/AV:N/AC:L/AT:N/MR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
References
- https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm
- https://nvd.nist.gov/vuln/detail/CVE-2025-48075
- https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d
- https://github.com/gofiber/fiber
- https://pkg.go.dev/vuln/GO-2025-3706
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber
CVE-2025-48075 / GHSA-hg3g-gphw-5hhm / GO-2025-3706
More information
Details
Fiber panics when fiber.Ctx.BodyParser parses invalid range index in github.com/gofiber/fiber
Severity
Unknown
References
- https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm
- https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d
This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).
Release Notes
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.