CVE-2026-25882

HighPublic PoC

Published: 24 February 2026

Published

24 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0008 23.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25882 is a high-severity Improper Validation of Array Index (CWE-129) vulnerability in Gofiber Fiber. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

CVE enables remote unauthenticated exploitation of public-facing web apps (T1190) via crafted HTTP requests, directly causing application crashes for Endpoint DoS through software vulnerability exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The…

vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.

Deeper analysisAI

CVE-2026-25882 is a denial-of-service vulnerability in Fiber, an Express-inspired web framework written in Go, affecting versions v2 and v3 prior to the patched releases. The issue stems from missing validation during route registration combined with an unbounded array write operation during request matching, specifically triggered when processing routes with more than 30 parameters. This leads to application crashes and is classified under CWE-129 (Improper Validation of Array Index), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remote attackers can exploit this vulnerability without authentication by sending crafted HTTP requests to any route endpoint that accepts parameters, provided the Fiber application exposes such routes over the network. Successful exploitation causes the server to crash due to the unbounded array write, resulting in a denial of service that disrupts availability for all users until the service is restarted. No privileges, user interaction, or special conditions are required beyond network access to the application.

Patches are available in Fiber version 2.52.12 for the v2 branch and version 3.1.0 for the v3 branch, which introduce proper validation to prevent the unbounded array writes. Security practitioners should upgrade to these versions immediately and review the GitHub security advisory (GHSA-mrq8-rjmw-wpq3) and associated pull request (#3962) for implementation details, including changes around path.go lines relevant to route parameter handling.