Bug 2386669 (CVE-2025-54801) - CVE-2025-54801 github.com/gofiber/fiber/v2: Fiber: Out-of-Bounds Slice Allocation Crash
Summary: CVE-2025-54801 github.com/gofiber/fiber/v2: Fiber: Out-of-Bounds Slice Alloca...
Keywords:
Status: NEW
Alias: CVE-2025-54801
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2386781 2386782 2386783 2386784
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-08-06 00:02 UTC by OSIDB Bzimport
Modified: 2025-08-06 14:57 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2025-08-06 00:02:05 UTC
Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.


Note You need to log in before you can comment on or make changes to this bug.