Denial of Service Vulnerability in Fiber Web Framework by Go
CVE-2026-25882

5.5MEDIUM

Key Information:

Vendor

Gofiber

Status
Fiber
Vendor
CVE Published:
24 February 2026

What is CVE-2026-25882?

A denial of service vulnerability affects the Fiber web framework, which is inspired by Express and written in Go. This issue allows remote attackers to crash applications by sending requests to a route that contains more than 30 parameters. The vulnerability arises from insufficient validation during route registration along with an unbounded array write when matching requests to routes. Updates in version 2.52.12 and 3.0.1 effectively address this problem in their respective branches.

Affected Version(s)

fiber >= 2.0.0, < 2.52.12 < 2.0.0, 2.52.12

fiber >= 3.0.0, < 3.1.0 < 3.0.0, 3.1.0

References

https://github.com/gofiber/fiber/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/gofiber/fiber/pull/3962
x_refsource_MISC
https://github.com/gofiber/fiber/blob/main/path.go#L514
x_refsource_MISC

CVSS V4

Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.