CVE-2026-25882

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25882

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25882.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25882

Aliases

Downstream

SUSE-SU-2026:0757-1

Related

Published

2026-02-24T21:05:28.211Z

Modified

2026-03-04T22:29:01.383135Z

Severity

5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Fiber has a Denial of Service Vulnerability via Route Parameter Overflow

Details

Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25882.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-129"
    ]
}

References

Affected packages

Git / github.com/gofiber/fiber

Affected ranges

Type

GIT

Repo

https://github.com/gofiber/fiber

Events

Introduced

f3434e503771785088b15a91946661fc00e2da49

Fixed

6cba19533db837ae5c9c0f5941dec5dae019e18c

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.52.12"
        }
    ]
}

Type

GIT

Repo

https://github.com/gofiber/fiber

Events

Introduced

f8f34f642fb3682c341ede7816e7cf861aa7df89

Fixed

3c24ebefe5009e88f9f9258b472e8021160179bf

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.0"
        }
    ]
}

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.10.0

v2.11.0

v2.12.0

v2.13.0

v2.14.0

v2.15.0

v2.16.0

v2.17.0

v2.18.0

v2.19.0

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.20.0

v2.20.1

v2.20.2

v2.21.0

v2.22.0

v2.23.0

v2.24.0

v2.25.0

v2.26.0

v2.27.0

v2.28.0

v2.29.0

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.30.0

v2.31.0

v2.32.0

v2.33.0

v2.34.0

v2.34.0-rc.1

v2.34.1

v2.35.0

v2.36.0

v2.37.0

v2.37.0-rc.1

v2.37.1

v2.38.0

v2.38.1

v2.39.0

v2.4.0

v2.4.1

v2.40.0

v2.40.1

v2.41.0

v2.42.0

v2.43.0

v2.44.0

v2.45.0

v2.46.0

v2.47.0

v2.48.0

v2.49.0

v2.49.1

v2.49.2

v2.5.0

v2.50.0

v2.51.0

v2.52.0

v2.52.1

v2.52.10

v2.52.11

v2.52.2

v2.52.3

v2.52.4

v2.52.5

v2.52.6

v2.52.7

v2.52.8

v2.52.9

v2.6.0

v2.7.0

v2.7.1

v2.8.0

v2.9.0

v3.*

v3.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25882.json"