Cyber Resilience

CVE-2026-25882

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 24.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25882 is a medium-severity Improper Validation of Array Index (CWE-129) vulnerability in Gofiber Fiber. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25882 is a denial-of-service vulnerability in Fiber, an Express-inspired web framework written in Go, affecting versions v2 and v3 prior to the patched releases. The issue stems from missing validation during route registration combined with an unbounded array write operation during request matching, specifically triggered when processing routes with more than 30 parameters. This leads to application crashes and is classified under CWE-129 (Improper Validation of Array Index), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Remote attackers can exploit this vulnerability without authentication by sending crafted HTTP requests to any route endpoint that accepts parameters, provided the Fiber application exposes such routes over the network. Successful exploitation causes the server to crash due to the unbounded array write, resulting in a denial of service that disrupts availability for all users until the service is restarted. No privileges, user interaction, or special conditions are required beyond network access to the application.

Patches are available in Fiber version 2.52.12 for the v2 branch and version 3.1.0 for the v3 branch, which introduce proper validation to prevent the unbounded array writes. Security practitioners should upgrade to these versions immediately and review the GitHub security advisory (GHSA-mrq8-rjmw-wpq3) and associated pull request (#3962) for implementation details, including changes around path.go lines relevant to route parameter handling.

EU & UK References

Vulnerability details

Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The…

more

vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote unauthenticated exploitation of public-facing web apps (T1190) via crafted HTTP requests, directly causing application crashes for Endpoint DoS through software vulnerability exploitation (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-25891Same product: Gofiber Fiber
CVE-2026-25899Same product: Gofiber Fiber
CVE-2025-66630Same product: Gofiber Fiber
CVE-2026-32285Shared CWE-129
CVE-2025-69248Shared CWE-129
CVE-2026-40886Shared CWE-129
CVE-2026-0528Shared CWE-129
CVE-2026-41643Shared CWE-129
CVE-2026-32286Shared CWE-129
CVE-2026-33281Shared CWE-129

Affected Assets

gofiber
fiber
2.0.0 — 2.52.12 · 3.0.0 — 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating flaws by patching the Fiber framework to versions 2.52.12 or 3.1.0 directly eliminates the unbounded array write vulnerability during route parameter matching.

preventdetect

Denial-of-service protection mechanisms limit request parameters or detect excessive inputs, preventing crashes from routes with more than 30 parameters.

prevent

Validating route parameters and request inputs ensures malformed or excessive parameters do not trigger improper array index validation leading to application crashes.

References