CVE-2026-25891
Published: 24 February 2026
Summary
CVE-2026-25891 is a high-severity Path Traversal (CWE-22) vulnerability in Gofiber Fiber. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-25891 is a Path Traversal vulnerability (CWE-22) in Fiber, an Express-inspired web framework written in Go. The flaw allows a remote attacker to bypass the static middleware sanitizer and access arbitrary files on the server file system, but it is limited to Windows environments. It affects Fiber versions from v3 through 3.0.0 and has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation enables the attacker to read sensitive files on the affected Windows server, potentially exposing configuration data, source code, or other confidential information without impacting integrity or availability.
The vulnerability has been patched in Fiber v3 version 3.1.0. Official advisories and references, including the GitHub security advisory (GHSA-m3c2-496v-cw3v), pull request 4064, and commit 59133702301c2ab7b776dd123b474cbd995f2c86, detail the fix and recommend upgrading to the patched version.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8565
Vulnerability details
Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. This affects…
more
Fiber v3 through version 3.0.0. This has been patched in Fiber v3 version 3.1.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Fiber web framework static middleware directly enables remote unauthenticated file read on Windows servers, mapping to exploitation of internet-facing applications for initial access and sensitive data exposure.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of the Fiber framework path traversal flaw from v3-3.0.0 to v3.1.0, eliminating the vulnerability.
Enforces validation of user-supplied path inputs in the static middleware to block traversal sequences like '../' accessing arbitrary Windows files.
Implements boundary protections such as web application firewalls to inspect and deny path traversal payloads at network entry points.