CVE-2026-25882
Published: 24 February 2026
Summary
CVE-2026-25882 is a medium-severity Improper Validation of Array Index (CWE-129) vulnerability in Gofiber Fiber. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-25882 is a denial-of-service vulnerability in Fiber, an Express-inspired web framework written in Go, affecting versions v2 and v3 prior to the patched releases. The issue stems from missing validation during route registration combined with an unbounded array write operation during request matching, specifically triggered when processing routes with more than 30 parameters. This leads to application crashes and is classified under CWE-129 (Improper Validation of Array Index), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Remote attackers can exploit this vulnerability without authentication by sending crafted HTTP requests to any route endpoint that accepts parameters, provided the Fiber application exposes such routes over the network. Successful exploitation causes the server to crash due to the unbounded array write, resulting in a denial of service that disrupts availability for all users until the service is restarted. No privileges, user interaction, or special conditions are required beyond network access to the application.
Patches are available in Fiber version 2.52.12 for the v2 branch and version 3.1.0 for the v3 branch, which introduce proper validation to prevent the unbounded array writes. Security practitioners should upgrade to these versions immediately and review the GitHub security advisory (GHSA-mrq8-rjmw-wpq3) and associated pull request (#3962) for implementation details, including changes around path.go lines relevant to route parameter handling.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8563
Vulnerability details
Fiber is an Express inspired web framework written in Go. A denial of service vulnerability exists in Fiber v2 and v3 that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. The…
more
vulnerability results from missing validation during route registration combined with an unbounded array write during request matching. Version 2.52.12 patches the issue in the v2 branch and 3.1.0 patches the issue in the v3 branch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote unauthenticated exploitation of public-facing web apps (T1190) via crafted HTTP requests, directly causing application crashes for Endpoint DoS through software vulnerability exploitation (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating flaws by patching the Fiber framework to versions 2.52.12 or 3.1.0 directly eliminates the unbounded array write vulnerability during route parameter matching.
Denial-of-service protection mechanisms limit request parameters or detect excessive inputs, preventing crashes from routes with more than 30 parameters.
Validating route parameters and request inputs ensures malformed or excessive parameters do not trigger improper array index validation leading to application crashes.