VDB
CVE-2026-25882
CVE-2026-25882
PUBLISHED
CVSS 5.5 MEDIUM
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.
EPSS 0.08% · 24.1th percentile
Risk Scores
CVSS v4.0
5.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
EPSS Score
0.08%
24.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | gofiber/fiber/v2 | 0, 0 |
| gofiber | fiber | >= 3.0.0, < 3.1.0, 2.0.0, 3.0.0 |
| github.com | gofiber/fiber/v3 | 0, 0 |
Timeline
- Feb 24, 2026 CVE Published
- Feb 25, 2026 EPSS Score
- Feb 25, 2026 PoC Published
- Feb 26, 2026 EPSS Score
- Feb 27, 2026 CVE Updated
- Feb 27, 2026 PoC Published
- Feb 28, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
- Mar 4, 2026 EPSS Score
- Mar 6, 2026 EPSS Score
- Mar 7, 2026 EPSS Score
References
- https://github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3 url
- https://github.com/gofiber/fiber/pull/3962 url
- https://github.com/gofiber/fiber/blob/main/path.go#L514 url
- https://github.com/gofiber/fiber/blob/v2/path.go#L516 url
- https://nvd.nist.gov/vuln/detail/CVE-2026-25882 advisory
- https://github.com/gofiber/fiber package
- https://pkg.go.dev/vuln/GO-2026-4543 url