CVE-2025-54801

216.73.217.22

· Published 06/08/2025 00:15 · Modified 07/08/2025 14:15

Labels: CVE-2025-54801 2025-08-06 CVE-2025-54801 CWE-789 [email protected]

Essential information

Published: 06/08/2025 00:15
Modified: 07/08/2025 14:15
Author: —
Creator: —
CVSS: 8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
fiber / fiber	`cpe:2.3:a:fiber:fiber:2.52.8:::::::*`
fiber / fiber	`cpe:2.3:a:fiber:fiber:<2.52.9::::::`