Go Fiber Router Parameter Overflow DoS Vulnerability

Critical Vulnerability Information Vulnerability Type Denial of Service (DoS) via Route Parameter Overflow Affected Versions GitHub.com/gofiber/fiber/v2: <= 2.52.11 GitHub.com/gofiber/fiber/v3: <= 3.0.0 Fixed Versions GitHub.com/gofiber/fiber/v2: 2.52.12 GitHub.com/gofiber/fiber/v3: 3.1.0 Vulnerability Description A denial-of-service vulnerability exists in Fiber v2 and v3 due to missing validation during route registration combined with unbounded array writes during request matching. This allows remote attackers to crash the application by sending requests with more than 30 parameters to a route. Severity Low (CVSS 7.5) - Attack Vector: Network (remotely exploitable) - Attack Complexity: Low (single HTTP request) - Privileges Required: None (no authentication required) - Impact: High availability impact (complete service disruption) Vulnerability Details and Root Cause Fiber v2 and v3 define a fixed-size parameter array in ctx.go. The code performs unbounded writes in path.go, leading to runtime panics. Example Attack Scenario 1. An application registers a route with more than 30 parameters. 2. An attacker sends a matching HTTP request. 3. The server crashes while processing the request. Conditions Required for Exploitation No authentication required A single HTTP request triggers the crash Persistent DoS attacks are easily scriptable Applicable to any route with more than 30 parameters Impact Potential remote DoS attacks on public APIs Cascading outages in microservices Failure of auto-scaling mechanisms due to repeated crashes Degradation of monitoring systems due to log flooding and alert fatigue Summary This vulnerability indicates that any application using the affected versions of the Fiber framework may be susceptible to simple DoS attacks. To mitigate this risk, users must upgrade to the patched versions and implement preventive measures as recommended by the workspace.

Goal Reached Thanks to every supporter — we hit 100%!

Go Fiber Router Parameter Overflow DoS Vulnerability

More from this source