fix(deps): update module github.com/gofiber/fiber/v2 to v2.52.9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gofiber/fiber/v2	v2.52.0 -> v2.52.9

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2024-25124

The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.

Impact

The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.

Proof of Concept

The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.

Potential Solution

Here is a potential solution to ensure the CORS configuration is secure:

func New(config ...Config) fiber.Handler {
    if cfg.AllowCredentials && cfg.AllowOrigins == "*" {
        panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
    }
    // Return new handler goes below
}

The middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.

Workarounds

For the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.

References

MDN Web Docs on CORS Errors
CodeQL on CORS Misconfiguration
PortSwigger on Exploiting CORS Misconfigurations
WhatWG CORS protocol and credentials

CVE-2024-38513

A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.

Impact

The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted.

Patches

The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability.

Workarounds

Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk:

1. Validate Session IDs: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server.
2. Session Management: Regularly rotate session IDs and enforce strict session expiration policies.

References

For more information on session best practices:

• OWASP Session Management Cheat Sheet

Users are encouraged to review these references and take immediate action to secure their applications.

CVE-2025-54801

Description

When using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.

The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.

Steps to Reproduce

Create a POST request handler that accepts x-www-form-urlencoded data

package main

import (
	"fmt"
	"net/http"

	"github.com/gofiber/fiber/v2"
)

type RequestBody struct {
	NestedContent []*struct{} `form:"test"`
}

func main() {
	app := fiber.New()

	app.Post("/", func(c *fiber.Ctx) error {
		formData := RequestBody{}
		if err := c.BodyParser(&formData); err != nil {
			fmt.Println(err)
			return c.SendStatus(http.StatusUnprocessableEntity)
		}
		return nil
	})

	fmt.Println(app.Listen(":3000"))
}

Run the server and send a POST request with a large numeric key in form data, such as:

curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \
  -H 'Content-Type: application/x-www-form-urlencoded'

Relevant Code Snippet

Within the decoder's decode method:

idx := parts[0].index
if v.IsNil() || v.Len() < idx+1 {
    value := reflect.MakeSlice(t, idx+1, idx+1)  // <-- Panic/crash occurs here when idx is huge
    if v.Len() < idx+1 {
        reflect.Copy(value, v)
    }
    v.Set(value)
}

The idx is not validated before use, leading to unsafe slice allocation for extremely large values.

---

Impact

• Application panic or crash on malicious or malformed input.
• Potential denial of service (DoS) via memory exhaustion or server crash.
• Lack of defensive checks in the parsing code causes instability.

---

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v2)

v2.52.9

Compare Source

🐛 Bug Fixes

• Add upper index limit for parsers by @​gaby in #​3503
• Embedded struct parsing by @​ReneWerner87 in #​3478
• Fix Content-Type comparison in Is() by @​gaby in #​3537
• Fix MIME type equality checks by @​gaby in #​3603

Full Changelog: gofiber/fiber@v2.52.8...v2.52.9

v2.52.8

Compare Source

👮 Security

• Fix for BodyParser - GHSA-hg3g-gphw-5hhm

🧹 Updates

• Backport ctx.String() from v3 by @​gaby in #​3294

🐛 Bug Fixes

• Fix routing with mount and static by @​ReneWerner87 in #​3454

📚 Documentation

• Update usage of ctx.Redirect() by @​andradei in #​3417
• Add AGENTS.md by @​gaby in #​3461

Full Changelog: gofiber/fiber@v2.52.6...v2.52.8

v2.52.7

Compare Source

v2.52.6

Compare Source

🐛 Bug Fixes

• Use Content-Length for bytesReceived and bytesSent tags in Logger Middleware in v2 by @​gaby in #​3067
• Fix handle un-matched open brackets in the query params by @​dojutsu-user in #​3121
• Middleware/CORS: Remove Scheme Restriction by @​zingi in #​3168
• Respect Immutable config for Body() by @​nickajacks1 in #​3246
• Support Square Bracket Notation in Multipart Form data by @​ReneWerner87 in #​3268

📚 Documentation

• Add detailed documentation for the templates guide by @​grivera64 in #​3113

🛠️ Maintenance

• Update benchmark-action to v1.20.3 by @​gaby in #​3084
• Add CODEOWNERS file by @​gaby in #​3124
• Update dependencies by @​gaby in #​3254
• Add parallel benchmark for Next() by @​gaby in #​3259

Full Changelog: gofiber/fiber@v2.52.5...v2.52.6

v2.52.5

Compare Source

👮 Security

Middleware/session: Session Middleware Token Injection Vulnerability - GHSA-98j2-3j3p-fw2v

https://docs.gofiber.io/api/middleware/session

🧹 Updates

• Middleware/session: Remove extra release and aquire ctx calls in session_test.go (#​3043)

🐛 Bug Fixes

• Middleware/monitor: middleware reporting of CPU usage (#​2984)
• Middleware/session: mutex for thread safety (#​3050)

📚 Documentation

• Improve ctx.Locals method description and example (#​3030)
• Improve ctx.Locals method documentation (#​3033)
• Update README_id.md (#​3045)

Full Changelog: gofiber/fiber@v2.52.4...v2.52.5

Thank you @​nyufeng, @​PaulTitto and @​sixcolors for making this update possible.

v2.52.4

Compare Source

🐛 Fixes

• Middleware/cors: CORS handling by @​sixcolors in #​2937
• Middleware/cors: Vary header handling non-cors OPTIONS requests by @​sixcolors in #​2939

Full Changelog: gofiber/fiber@v2.52.3...v2.52.4

v2.52.3

Compare Source

🐛 Fixes

• Middleware/cors: Handling and wildcard subdomain matching by @​sixcolors in #​2915
• Middleware/cors: Categorize requests correctly by @​sixcolors in #​2921
• Middleware/csrf: Fix Benchmark Tests by @​sixcolors in #​2932

Full Changelog: gofiber/fiber@v2.52.2...v2.52.3

v2.52.2

Compare Source

🐛 Fixes

• Middleware/cors: Validation of multiple Origins (#​2883)

Full Changelog: gofiber/fiber@v2.52.1...v2.52.2

v2.52.1

Compare Source

👮 Security

Middleware/cors: Insecure CORS Configuration Allowing Wildcard Origin with Credentials - GHSA-fmg4-x8pw-hjhg

https://docs.gofiber.io/api/middleware/cors

🐛 Fixes

• Middleware/healthcheck: Not working with route group(#​2863)

📚 Documentation

• Fix default value to false in docs of QueryBool (#​2811)
• Fix code snippet indentation in /docs/api/middleware/keyauth.md (#​2867)

Full Changelog: gofiber/fiber@v2.52.0...v2.52.1

Thank you @​luk3skyw4lker, @​CAEL0, @​grivera64, @​gaby and @​sixcolors for making this update possible.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: src/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/klauspost/compress	v1.17.6 -> v1.17.9
github.com/mattn/go-runewidth	v0.0.15 -> v0.0.16
golang.org/x/sys	v0.17.0 -> v0.28.0

[renovate]

ℹ️ Artifact update notice

File name: src/go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated

Details:

Package	Change
github.com/klauspost/compress	v1.17.6 -> v1.17.9
github.com/mattn/go-runewidth	v0.0.15 -> v0.0.16
golang.org/x/sys	v0.17.0 -> v0.28.0