CVE-2026-25882 PUBLISHED

Fiber has a Denial of Service Vulnerability via Route Parameter Overflow

Assigner: GitHub_M
Reserved: 06.02.2026 Published: 24.02.2026 Updated: 24.02.2026

Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
CVSS Score: 5.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	gofiber
Product	fiber
Versions	Version >= 2.0.0, < 2.52.12 is affected Version >= 3.0.0, < 3.1.0 is affected

References

Problem Types

CWE-129: Improper Validation of Array Index CWE