CRITICAL🇵🇱 Wersja polska

CVE-2024-38513

CVSS 10.0v3.1pub. 2024-07-01upd. 2025-10-02

Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies.

🤖 AI Analysis
How it works

The vulnerability (CWE-384 — Session Fixation) consists of the GoFiber session middleware accepting a session_id value supplied directly by the user and creating a new session based on it. An attacker can predetermine a known session identifier and then convince the victim to authenticate using this identifier. As a result, the attacker gains access to the authenticated user's session because the server does not generate a new random identifier after login. The issue affects all applications using sessions in GoFiber version 2 and higher, up to version 2.52.5.

Impact

An attacker can gain unauthorized access to another user's session (including privileged accounts), which can consequently lead to account takeover, disclosure of sensitive data, and compromise of application integrity.

Mitigation & patch

GoFiber Fiber should be updated to version 2.52.5 or later as soon as possible. If immediate update is not possible, the following workarounds are recommended: (1) implement additional server-side validation that prevents accepting user-supplied session identifiers — session_id should always be securely generated by the server; (2) regular session identifier rotation and enforcement of strict session expiration policies.

Who is affected

GoFiber Fiber in versions 2.x below 2.52.5 — all applications using the built-in session middleware of this framework.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Gofiber Fiber

    APP
    Gofiber
    < 2.52.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-66630CRITICAL9.2PL ✓ten sam produkt

Przewidywalne UUID w Fiber v2 — podatność na generowanie słabych identyfikatorów

CVE-2024-25124CRITICAL9.4PL ✓ten sam produkt

Gofiber Fiber: Niebezpieczna konfiguracja CORS middleware (wildcard + credentials)

CVE-2023-45128CRITICAL10.0ten sam produkt

Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability ha...

CVE-2026-25891HIGH7.7ten sam produkt

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber all...

CVE-2026-25899HIGH7.5ten sam produkt

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use...