Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies.
The vulnerability (CWE-384 — Session Fixation) consists of the GoFiber session middleware accepting a session_id value supplied directly by the user and creating a new session based on it. An attacker can predetermine a known session identifier and then convince the victim to authenticate using this identifier. As a result, the attacker gains access to the authenticated user's session because the server does not generate a new random identifier after login. The issue affects all applications using sessions in GoFiber version 2 and higher, up to version 2.52.5.
An attacker can gain unauthorized access to another user's session (including privileged accounts), which can consequently lead to account takeover, disclosure of sensitive data, and compromise of application integrity.
GoFiber Fiber should be updated to version 2.52.5 or later as soon as possible. If immediate update is not possible, the following workarounds are recommended: (1) implement additional server-side validation that prevents accepting user-supplied session identifiers — session_id should always be securely generated by the server; (2) regular session identifier rotation and enforcement of strict session expiration policies.
GoFiber Fiber in versions 2.x below 2.52.5 — all applications using the built-in session middleware of this framework.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HGofiber Fiber
APPGofiber< 2.52.5
Related vulnerabilities
Przewidywalne UUID w Fiber v2 — podatność na generowanie słabych identyfikatorów
Gofiber Fiber: Niebezpieczna konfiguracja CORS middleware (wildcard + credentials)
Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability ha...
Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber all...
Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use...