CVE-2026-25891

Name of the Vulnerable Software and Affected Versions Fiber versions 3.0.0 and earlier Fiber versions 3.0.0 through 3.0.0

Description A Path Traversal flaw exists in Fiber, potentially allowing a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. The issue stems from a combination of factors: a check for backslash characters occurring before URL decoding, and the use of path.Clean, which is designed for slash-separated paths and does not recognize backslashes as directory separators. This allows attackers to traverse up the directory tree using sequences like ..... The vulnerable code resides in the sanitizePath function within middleware/static/static.go. Exploitation allows directory traversal on the host server, potentially enabling attackers to access sensitive files, including configuration files, source code, and system files.

Recommendations Update to Fiber version 3.1.0 or later.