openshield
openshield copied to clipboard
openshieldai
Update module github.com/gofiber/fiber/v2 to v2.52.9 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| github.com/gofiber/fiber/v2 | v2.52.5 -> v2.52.9 |
GitHub Vulnerability Alerts
CVE-2025-54801
Description
When using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.
The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.
Steps to Reproduce
Create a POST request handler that accepts x-www-form-urlencoded data
package main
import (
"fmt"
"net/http"
"github.com/gofiber/fiber/v2"
)
type RequestBody struct {
NestedContent []*struct{} `form:"test"`
}
func main() {
app := fiber.New()
app.Post("/", func(c *fiber.Ctx) error {
formData := RequestBody{}
if err := c.BodyParser(&formData); err != nil {
fmt.Println(err)
return c.SendStatus(http.StatusUnprocessableEntity)
}
return nil
})
fmt.Println(app.Listen(":3000"))
}
Run the server and send a POST request with a large numeric key in form data, such as:
curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \
-H 'Content-Type: application/x-www-form-urlencoded'
Relevant Code Snippet
Within the decoder's decode method:
idx := parts[0].index
if v.IsNil() || v.Len() < idx+1 {
value := reflect.MakeSlice(t, idx+1, idx+1) // <-- Panic/crash occurs here when idx is huge
if v.Len() < idx+1 {
reflect.Copy(value, v)
}
v.Set(value)
}
The idx is not validated before use, leading to unsafe slice allocation for extremely large values.
Impact
- Application panic or crash on malicious or malformed input.
- Potential denial of service (DoS) via memory exhaustion or server crash.
- Lack of defensive checks in the parsing code causes instability.
Release Notes
gofiber/fiber (github.com/gofiber/fiber/v2)
v2.52.9
🐛 Bug Fixes
- Add upper index limit for parsers by @gaby in #3503
- Embedded struct parsing by @ReneWerner87 in #3478
- Fix Content-Type comparison in
Is()by @gaby in #3537 - Fix MIME type equality checks by @gaby in #3603
Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.8...v2.52.9
v2.52.8
👮 Security
- Fix for BodyParser - GHSA-hg3g-gphw-5hhm
🧹 Updates
🐛 Bug Fixes
- Fix routing with mount and static by @ReneWerner87 in #3454
📚 Documentation
- Update usage of ctx.Redirect() by @andradei in #3417
- Add AGENTS.md by @gaby in #3461
Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.6...v2.52.8
v2.52.7
v2.52.6
🐛 Bug Fixes
- Use Content-Length for bytesReceived and bytesSent tags in Logger Middleware in v2 by @gaby in #3067
- Fix handle un-matched open brackets in the query params by @dojutsu-user in #3121
- Middleware/CORS: Remove Scheme Restriction by @zingi in #3168
- Respect Immutable config for Body() by @nickajacks1 in #3246
- Support Square Bracket Notation in Multipart Form data by @ReneWerner87 in #3268
📚 Documentation
- Add detailed documentation for the templates guide by @grivera64 in #3113
🛠️ Maintenance
- Update benchmark-action to v1.20.3 by @gaby in #3084
- Add CODEOWNERS file by @gaby in #3124
- Update dependencies by @gaby in #3254
- Add parallel benchmark for Next() by @gaby in #3259
Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.5...v2.52.6
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
ℹ Artifact update notice
File name: go.mod
In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):
- 1 additional dependency was updated
Details:
| Package | Change |
|---|---|
golang.org/x/sys |
v0.26.0 -> v0.28.0 |
Quality Gate passed
Issues
0 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarQube Cloud
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}