Description
Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.
Published: 2026-02-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read on Windows
Action: Patch Immediately
AI Analysis

Impact

Fiber implements an Express‑style static file middleware that is supposed to block path traversal. However, a flaw in the sanitizer allows a remote attacker to craft a request that escapes the intended directory, enabling reads of any file on the server’s file system. The flaw maps to CWE‑22 and compromises confidentiality by exposing sensitive data, configuration files, or credentials without authentication.

Affected Systems

The vulnerability exists in all Fiber releases from v3 up to and including v3.0.0. It has been resolved in Fiber v3.1.0. Users running the affected versions on Windows servers are at risk.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity, while the EPSS score of less than 1% suggests that exploitation attempts are currently very rare. The issue is not listed in CISA’s KEV catalog. Attackers can exploit it remotely through a crafted HTTP request to the static middleware endpoint, bypassing the intended sanitization logic. No additional user interaction or privileged access is required.

Generated by OpenCVE AI on April 18, 2026 at 10:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Fiber v3.1.0 or a later release that includes the fixed static middleware logic.
  • If an upgrade is not immediately possible, disable or remove the static middleware that serves files on Windows or restrict its configuration to serve only from trusted directories.
  • Apply network‑layer restrictions such as firewall rules or reverse proxy access controls to limit exposure of the static endpoint to trusted networks or IP ranges only.

Generated by OpenCVE AI on April 18, 2026 at 10:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m3c2-496v-cw3v Fiber has an Arbitrary File Read in Static Middleware on Windows
History

Fri, 27 Feb 2026 03:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Gofiber
Gofiber fiber
Vendors & Products Gofiber
Gofiber fiber

Tue, 24 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.
Title Fiber has an Arbitrary File Read in Static Middleware on Windows
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Gofiber Fiber
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-24T21:39:11.118Z

Reserved: 2026-02-06T21:08:39.130Z

Link: CVE-2026-25891

cve-icon Vulnrichment

Updated: 2026-02-24T21:39:05.876Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T22:16:31.440

Modified: 2026-02-27T03:18:58.503

Link: CVE-2026-25891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses