Description
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.
Published: 2026-02-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

Fiber is an Express‑inspired web framework written in Go. A missing validation during route registration combined with an unbounded array write during request matching creates a route parameter overflow. When a remote attacker sends an HTTP request that includes more than 30 parameters, the framework crashes, resulting in a denial of service. The flaw is categorized as CWE‑129, and based on the description, it is inferred that the vulnerability does not require privileged access, so it can be triggered simply by sending a crafted request to any public‑facing Fiber instance.

Affected Systems

The vulnerability affects Fiber v2 and v3 prior to the release of patches. Any project using Fiber v2 older than 2.52.12 or Fiber v3 older than 3.1.0 is susceptible. The runtime environment is typically web servers running the Go runtime that host the Fiber application, regardless of operating system.

Risk and Exploitability

The CVSS score is 5.5, indicating moderate severity. The EPSS score of <1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because the overflow can be triggered remotely without authentication, the operational risk remains for publicly accessible services. An attacker may simply request a URL with an excessive number of route parameters to crash the application.

Generated by OpenCVE AI on April 18, 2026 at 17:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Fiber framework to v2.52.12 or later if you are using the v2 branch.
  • Upgrade to v3.1.0 or later if you are using the v3 branch.
  • If an upgrade is not immediately possible, add server‑side logic that rejects routes with more than 30 parameters or otherwise limits the number of parameters parsed for any request.

Generated by OpenCVE AI on April 18, 2026 at 17:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mrq8-rjmw-wpq3 Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
History

Fri, 27 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gofiber
Gofiber fiber
Vendors & Products Gofiber
Gofiber fiber

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.0.1 patches the issue in the v3 branch. Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.

Tue, 24 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.0.1 patches the issue in the v3 branch.
Title Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
Weaknesses CWE-129
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gofiber Fiber
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T21:39:51.170Z

Reserved: 2026-02-06T21:08:39.129Z

Link: CVE-2026-25882

cve-icon Vulnrichment

Updated: 2026-02-24T21:39:44.016Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T21:16:29.640

Modified: 2026-02-27T03:18:05.253

Link: CVE-2026-25882

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses