CVE-2025-48075

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-48075
Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d Patch
https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm Vendor Advisory Exploit
https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm Vendor Advisory Exploit
Configurations

Configuration 1 (hide)

cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*
History

30 May 2025, 01:18

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
References () https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d - () https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d - Patch
References () https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm - () https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm - Vendor Advisory, Exploit
First Time Gofiber
Gofiber fiber
CPE cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*

23 May 2025, 15:55

Type Values Removed Values Added
Summary
  • (es) Fiber es un framework web inspirado en Express y escrito en Go. A partir de la versión 2.52.6 y anteriores a la 2.52.7, `fiber.Ctx.BodyParser` puede asignar datos planos a segmentos anidados mediante la sintaxis `key[idx]value`. Sin embargo, cuando `idx` es negativo, genera un pánico en lugar de devolver un error que indica que no puede procesar los datos. Dado que estos datos son proporcionados por el usuario, esto podría provocar una denegación de servicio para cualquiera que dependa de esta funcionalidad de `fiber.Ctx.BodyParser`. La versión 2.52.7 soluciona este problema.

22 May 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-22 18:15

Updated : 2025-05-30 01:18

NVD link : CVE-2025-48075

Mitre link : CVE-2025-48075

CVE.ORG link : CVE-2025-48075

JSON object : View

Products Affected

gofiber

  • fiber
CWE
CWE-129

Improper Validation of Array Index