CVE-2026-30246: Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters
(updated )
Fiber cache middleware’s default key generator uses only c.Path() and does not include the query string.
As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response.
This can cause response mix-up (cache poisoning-like behavior) for endpoints where response content depends on query parameters.
References
- github.com/advisories/GHSA-35hp-hqmv-8qg8
- github.com/gofiber/fiber
- github.com/gofiber/fiber/blob/main/middleware/cache/cache_test.go
- github.com/gofiber/fiber/blob/main/middleware/cache/config.go
- github.com/gofiber/fiber/commit/050ff1ff18511c1475b8ec627460216aaecddd4e
- github.com/gofiber/fiber/commit/9a0d12c07ed895b84c72987f9288b04137afe5de
- github.com/gofiber/fiber/security/advisories/GHSA-35hp-hqmv-8qg8
- nvd.nist.gov/vuln/detail/CVE-2026-30246
Code Behaviors & Features
Detect and mitigate CVE-2026-30246 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →