logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-54801 github.com/gofiber/fiber/v2

Package

Manager: go
Name: github.com/gofiber/fiber/v2
Vulnerable Version: >=0 <2.52.9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0006 pctl0.19054

Details

Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder ### Description When using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.18446744073704`), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length `idx + 1` without validating whether the index is within a safe or reasonable range. If `idx` is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. ### Steps to Reproduce Create a POST request handler that accepts `x-www-form-urlencoded` data ```go package main import ( "fmt" "net/http" "github.com/gofiber/fiber/v2" ) type RequestBody struct { NestedContent []*struct{} `form:"test"` } func main() { app := fiber.New() app.Post("/", func(c *fiber.Ctx) error { formData := RequestBody{} if err := c.BodyParser(&formData); err != nil { fmt.Println(err) return c.SendStatus(http.StatusUnprocessableEntity) } return nil }) fmt.Println(app.Listen(":3000")) } ``` Run the server and send a POST request with a large numeric key in form data, such as: ```bash curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \ -H 'Content-Type: application/x-www-form-urlencoded' ``` ### Relevant Code Snippet Within the decoder's [decode method](https://github.com/gofiber/fiber/blob/v2.52.8/internal/schema/decoder.go#L249): ```go idx := parts[0].index if v.IsNil() || v.Len() < idx+1 { value := reflect.MakeSlice(t, idx+1, idx+1) // <-- Panic/crash occurs here when idx is huge if v.Len() < idx+1 { reflect.Copy(value, v) } v.Set(value) } ``` The `idx` is not validated before use, leading to unsafe slice allocation for extremely large values. --- ### Impact - Application panic or crash on malicious or malformed input. - Potential denial of service (DoS) via memory exhaustion or server crash. - Lack of defensive checks in the parsing code causes instability.

Metadata

Created: 2025-08-05T15:22:21Z
Modified: 2025-08-06T14:31:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qx2q-88mx-vhg7/GHSA-qx2q-88mx-vhg7.json
CWE IDs: ["CWE-789"]
Alternative ID: GHSA-qx2q-88mx-vhg7
Finding: F184
Auto approve: 1