CVE-2026-25882: Fiber has a Denial of Service Vulnerability via Route Parameter Overflow
(updated )
A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching.
References
- github.com/advisories/GHSA-mrq8-rjmw-wpq3
- github.com/gofiber/fiber
- github.com/gofiber/fiber/blob/main/path.go
- github.com/gofiber/fiber/blob/v2/path.go
- github.com/gofiber/fiber/pull/3962
- github.com/gofiber/fiber/security/advisories/GHSA-mrq8-rjmw-wpq3
- nvd.nist.gov/vuln/detail/CVE-2026-25882
- pkg.go.dev/vuln/GO-2026-4543
Code Behaviors & Features
Detect and mitigate CVE-2026-25882 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →