关键信息 漏洞概述 Title: Arbitrary File Read in Static Middleware on Windows Severity: High CVE ID: CVE-2026-25891 CWE: CWE-22 (Path Traversal) 受影响和修复的版本 Affected Versions: <= 3.0.0 Patched Versions: 3.1.0 漏洞细节 Location: middleware/static/static.go within the sanitizePath function Issue: 1. Check for backslash characters happens before the URL decoding loop. 2. Use of path.Clean to clean the resulting string, which doesn't recognize backslashes as directory separators. 影响 Impact: Directory traversal on the host server, allowing the reading of arbitrary files within the application scope. Systems Affected: Windows servers using static middleware. 修复措施 Patches: Released in Fiber v3 version 3.1.0. Recommendation: Strongly encouraged to update to the latest available release.