CVE-2026-25882

Name of the Vulnerable Software and Affected Versions Fiber versions prior to 2.52.12 Fiber versions prior to 3.0.1

Description Fiber is an Express inspired web framework written in Go. A denial of service issue exists in Fiber that allows remote attackers to crash the application by sending requests to routes with more than 30 parameters. This is due to missing validation during route registration and an unbounded array write during request matching. The vulnerability affects versions 2 and 3. Exploitation requires no authentication and only a single HTTP request. The issue can lead to public API outages, microservice failures, and alert fatigue. The vulnerable code is located in path.go at lines 514 (v3) and 516 (v2).

Recommendations For versions prior to 2.52.12, update to version 2.52.12 or later. For versions prior to 3.0.1, update to version 3.0.1 or later. As a temporary workaround, audit routes to ensure all routes have 30 or fewer parameters. As a temporary workaround, disable dynamic routing and validate parameter counts during route registration. As a temporary workaround, deploy aggressive rate limiting to mitigate potential denial of service attacks. As a temporary workaround, implement monitoring to alert on panic patterns in application logs.