CVE-2025-54801

Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d	Patch
https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7	Vendor Advisory
https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*

History

23 Sep 2025, 23:27

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Gofiber fiber Gofiber
References	~~() https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d -~~	() https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d - Patch
References	~~() https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7 -~~	() https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7 - Vendor Advisory
CPE		cpe:2.3:a:gofiber:fiber::::::go::*

07 Aug 2025, 14:15

Type	Values Removed	Values Added
References	~~() https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7 -~~	() https://github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7 -

06 Aug 2025, 20:23

Type	Values Removed	Values Added
Summary		(es) Fiber es un framework web inspirado en Express y escrito en Go. En las versiones 2.52.8 y anteriores, al usar Ctx.BodyParser de Fiber para analizar datos de formulario que contienen una clave numérica grande que representa el índice de un segmento (p. ej., test.18446744073704), la aplicación se bloquea debido a una asignación de segmento fuera de los límites en el decodificador de esquema subyacente. La causa principal es que el decodificador intenta asignar un segmento con una longitud de idx + 1 sin validar si el índice se encuentra dentro de un rango seguro o razonable. Si el idx es excesivamente grande, se produce un desbordamiento de enteros o un agotamiento de memoria, lo que provoca un pánico o un bloqueo. Esto se solucionó en la versión 2.52.9.

06 Aug 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-06 00:15

Updated : 2025-09-23 23:27

NVD link : CVE-2025-54801

Mitre link : CVE-2025-54801

CVE.ORG link : CVE-2025-54801

JSON object : View

Products Affected

gofiber

fiber

CWE

CWE-789

Memory Allocation with Excessive Size Value

7.5 /10