github.com/gofiber/fiber/v2 (Go) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Go package github.com/gofiber/fiber/v2, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (11)
CVE-2023-45128 — CVSS 10.0 (critical): Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the…
CVE-2024-38513 — CVSS 10.0 (critical): Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue…
CVE-2025-66630 — CVSS 9.4 (critical): Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand…
CVE-2024-25124 — CVSS 9.4 (critical): Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could…
CVE-2023-45141 — CVSS 8.6 (high): Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the…
CVE-2025-54801 — CVSS 7.5 (high): Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form…
CVE-2026-25882 — CVSS 7.5 (high): Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote…
CVE-2025-48075 — CVSS 7.5 (high): Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser`…
CVE-2026-42554 — CVSS 6.1 (medium): Fiber is a web framework for Go. Prior to 2.52.12 and 3.1.0, Cross-Site Scripting vulnerability in Go Fiber allows a remote attacker to…
CVE-2018-20744 — CVSS 5.9 (medium): The Olivier Poitrey Go CORS handler through 1.3.0 actively converts a wildcard CORS policy into reflecting an arbitrary Origin header…
CVE-2023-41338 — CVSS 5.3 (medium): Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access…