-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
GoGo| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/gofiber/fiber/v2 | go | <= 2.52.8 | 2.52.9 |
Miggo AIRoot Cause AnalysisThe vulnerability exists in the github.com/gofiber/fiber/v2 package, specifically within the form data parsing logic. The root cause is an uncontrolled memory allocation in the Decoder.Decode function, located in internal/schema/decoder.go. When parsing URL-encoded form data, the decoder handles slice and array creation based on numeric keys in the input (e.g., field[1]=value). The vulnerability is triggered when an attacker provides a very large number as a slice index. The code attempts to allocate a slice of this size (reflect.MakeSlice(t, idx+1, idx+1)) without validating if the index idx is within a reasonable limit. This leads to a panic, either from an integer overflow or from the system failing to allocate an enormous amount of memory, which crashes the Fiber application, resulting in a Denial of Service (DoS).
The provided patch in commit e115c08b8f059a4a031b492aa9eef0712411853d addresses the symptom rather than the root cause. It wraps the decoding logic in Decoder.Decode with a defer-recover block. This prevents the panic from crashing the server and instead converts it into a standard error that is returned up the call stack. While this prevents the DoS, the underlying issue of not validating the index remains.
The primary vulnerable function is Decoder.Decode, where the allocation occurs. The function Ctx.BodyParser is the user-facing entry point that invokes this vulnerable logic, and would therefore appear in any runtime profile or stack trace when the vulnerability is triggered.
Ongoing coverage of React2Shell