Skip to content

fix(deps): update module github.com/gofiber/fiber/v3 to v3.2.0 [security]#78

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-gofiber-fiber-v3-vulnerability
Open

fix(deps): update module github.com/gofiber/fiber/v3 to v3.2.0 [security]#78
renovate[bot] wants to merge 1 commit intomainfrom
renovate/go-github.com-gofiber-fiber-v3-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented May 6, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/gofiber/fiber/v3 v3.1.0v3.2.0 age confidence

Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters

CVE-2026-30246 / GHSA-35hp-hqmv-8qg8

More information

Details

Summary

Fiber cache middleware's default key generator uses only c.Path() and does not include the query string.
As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response.

This can cause response mix-up (cache poisoning-like behavior) for endpoints where response content depends on query parameters.

Details

Default configuration in cache middleware:

  • KeyGenerator: func(c fiber.Ctx) string { return utils.CopyString(c.Path()) }

References:

The existing test demonstrates that when handler output depends on query parameter id, a second request with a different query still returns the first cached response (cache hit), confirming query is not part of the default cache key.

PoC

Minimal PoC:

package main

import (
    "log"

    "github.com/gofiber/fiber/v3"
    "github.com/gofiber/fiber/v3/middleware/cache"
)

func main() {
    app := fiber.New()
    app.Use(cache.New()) // default config

    app.Get("/", func(c fiber.Ctx) error {
        return c.SendString(c.Query("id", "1"))
    })

    log.Fatal(app.Listen(":3000"))
}

Reproduction:

  1. GET /?id=1
    • Cache miss
    • Response body: 1
  2. GET /?id=2
    • Cache hit
    • Response body: 1 (expected 2)

Local verification command used:

go test ./middleware/cache -run Test_Cache_WithNoCacheRequestDirective -count=1

Observed result: test passes, confirming this is current behavior.

Impact
  • Responses that should vary by query parameters can be mixed between requests.
  • In real deployments, this may leak or corrupt user/tenant-specific content if query parameters influence context or data selection.
  • This is deployment-dependent but security-relevant, and not safe-by-default for query-variant responses.
Suggested remediation
  • Change default cache key generation to include path + normalized query string (or canonicalized original URL).
  • Keep ability for custom key generators.
  • Add explicit documentation warning that path-only keying is unsafe for query-dependent responses.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Fiber vulnerable to XSS in AutoFormat Content Negotiation

CVE-2026-42554 / GHSA-qjv7-627w-8qjv

More information

Details

Summary

Description

A Cross-Site Scripting (CWE-79) vulnerability in Go Fiber allows a remote attacker to inject arbitrary HTML/JavaScript by supplying Accept: text/html on any request whose handler passes attacker-influenced data to the AutoFormat() feature. This affects github.com/gofiber/fiber/v3 (DefaultRes.AutoFormat) through version 3.1.0 and github.com/gofiber/fiber/v2 (Ctx.Format) through version 2.52.12.

The developer opts into content negotiation by calling AutoFormat(), but does not opt into raw HTML emission for a particular request; Fiber chooses that branch from attacker-controlled Accept. Five of the six branches of the same method already escape. JSON, XML, MsgPack, and CBOR all route through encoders that neutralize markup; the txt branch emits text/plain and cannot execute. The html branch is the sole outlier in a method whose name (AutoFormat) and symmetrical structure actively telegraph "safe, format-agnostic reply."

Details

The issue resides in res.go within (*DefaultRes).AutoFormat(). The method negotiates against the request Accept header, selects one of html | json | txt | xml | msgpack | cbor, and serializes the caller-supplied body accordingly.

The "html" branch concatenates the stringified body directly into HTML markup with no output encoding:

  • accept comes from r.c.Accepts(...), i.e. is fully attacker-controlled. An attacker can force the "html" branch on any AutoFormat() call regardless of which format the developer tested against.
  • b is produced from body via direct assignment (string / []byte) or fmt.Sprintf("%v", body). No html.EscapeString is applied.
  • The resulting string is sent as text/html; charset=utf-8, so browsers render it as active HTML.
// res.go
func (r *DefaultRes) AutoFormat(body any) error {

    accept := r.c.DefaultReq.Accepts("html", "json", "txt", "xml", "msgpack", "cbor")

    r.Type(accept)
    var b string
    switch val := body.(type) {
    case string:
        b = val
    case []byte:
        b = r.c.app.toString(val)
    default:
        b = fmt.Sprintf("%v", val)
    }

    switch accept {
    case "txt":
        return r.SendString(b)
    case "json":
        return r.JSON(body)
    case "xml":
        return r.XML(body)
    case "html":
        return r.SendString("<p>" + b + "</p>")
    case "msgpack":
        return r.MsgPack(body)
    case "cbor":
        return r.CBOR(body)
    }
    return r.SendString(b)
}
Impact

This impacts all current v3 releases ≤ 3.1.0 containing DefaultRes.AutoFormat, and all current v2 releases ≤ 2.52.12 where the identical "<p>" + b + "</p>" construction exists in (*Ctx).Format(). Exploitation requires that an application call c.AutoFormat(v) where v (or a field stringified by %v) contains request-influenced data.

A handler that uses AutoFormat() to serve multiple representations of the same data can be turned into an HTML XSS sink when the client sends Accept: text/html, even if the developer only tested the JSON path.

This may result in:

  • Reflected XSS in the application's origin via any request-derived value reaching AutoFormat.
  • Stored XSS where the reflected value originates from persisted input later passed to AutoFormat.
Proposed Patch

The injection surface is r.Type("html") followed by r.SendString(b) with unescaped caller data, where it constructs markup on the caller's behalf around a value whose HTML-ness the caller did not declare. A few options:

  • AutoFormat() should treat body as data, not markup, in the "html" branch and escape it before concatenating it into the framework-generated <p> wrapper. Callers that need raw negotiated HTML should use Format() with an explicit HTML handler.
  • Introduce a sibling method that escapes, leave AutoFormat alone for backward compatibility.

HTML-escape the value in the "html" branch before concatenating it into the <p> wrapper.

import "html"

// ...
case "html":
    return r.SendString("<p>" + html.EscapeString(b) + "</p>")

html.EscapeString escapes <, >, &, ', ", which is sufficient for an element-text context. Apply the same change to v2's (*Ctx).Format().

Proof of Concept
##### Create project directory
mkdir fiber-xss-poc && cd fiber-xss-poc

##### Initialize Go module
go mod init fiber-xss-poc

##### Install Fiber v3
go get github.com/gofiber/fiber/v3

##### Create the PoC file
cat > main.go << 'EOF'
package main

import (
	"github.com/gofiber/fiber/v3"
)

type User struct {
	ID   int    `json:"id"`
	Name string `json:"name"`
}

func main() {
	app := fiber.New()
	
	app.Get("/api/user", func(c fiber.Ctx) error {
		user := User{
			ID:   1,
			Name: c.Query("name", "anonymous"),
		}
		return c.AutoFormat(user)
	})

	app.Listen(":3000")
}
EOF

##### Run it
go run main.go
}

Benign JSON

curl -s 'http://127.0.0.1:3000/api/user?name=Alice' -H 'Accept: application/json'
{"id":1,"name":"Alice"}

HTML sink enables XSS

curl -s 'http://127.0.0.1:3000/api/user?name=<script>alert(document.domain)</script>' -H 'Accept: text/html'
<p>{1 <script>alert(document.domain)</script>}</p>

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

gofiber/fiber (github.com/gofiber/fiber/v3)

v3.2.0

Compare Source

🚀 New

🧹 Updates

  • Optimize speed (#​4231)
  • Remove duplicate benchmark handling and update benchmark action version (#​4108)

🐛 Fixes

  • Fix race condition in TestTimeout_ContextPropagation (#​4119)
  • Fix ARMv7 build overflow in etag middleware (#​4190)
  • Fix HTML escaping in AutoFormat (#​4228)
  • Structured default cache keys, and controls (#​4224)
  • Enforce BodyLimit on request decompression and multipart form parsing (#​4213)
  • Implement releaseData function for better resource management (#​4209)
  • Strip path from referer before matching trusted origins (#​4204)
  • Improve clarity for ProxyHeader and TrustProxy configuration (#​4140)
  • Prefork children exit immediately in Docker containers (#​4133)
  • Fix math.MaxUint32 overflow in etag middleware on 32-bit platforms (#​4135)
  • Add nil checks to End() to prevent panic in streaming mode (#​4128)
  • Custom binders bypass StructValidator in Body() and Custom() (#​4124)

🛠️ Maintenance

43 changes
  • bump actions/setup-go from 6.2.0 to 6.3.0 (#​4114)
  • bump golang.org/x/net from 0.50.0 to 0.51.0 in the golang-modules group (#​4113)
  • bump github.com/gofiber/schema from 1.7.0 to 1.7.1 (#​4220)
  • bump actions/setup-node from 6.3.0 to 6.4.0 (#​4222)
  • bump dependabot/fetch-metadata from 3.0.0 to 3.1.0 (#​4221)
  • bump github.com/tinylib/msgp from 1.6.3 to 1.6.4 (#​4215)
  • bump github/codeql-action from 4.35.1 to 4.35.2 (#​4216)
  • bump actions/cache from 5.0.4 to 5.0.5 (#​4214)
  • bump actions/github-script from 8.0.0 to 9.0.0 (#​4207)
  • bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (#​4206)
  • bump the golang-modules group with 2 updates (#​4205)
  • bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21 (#​4203)
  • bump golang.org/x/text from 0.35.0 to 0.36.0 in the golang-modules group (#​4202)
  • bump golang.org/x/sys from 0.42.0 to 0.43.0 in the golang-modules group (#​4201)
  • bump github.com/valyala/fasthttp from 1.69.0 to 1.70.0 in the fasthttp-modules group across 1 directory (#​4197)
  • bump lewagon/wait-on-check-action from 1.6.0 to 1.6.1 (#​4198)
  • bump streetsidesoftware/cspell-action from 8.3.0 to 8.4.0 (#​4188)
  • bump github.com/andybalholm/brotli from 1.2.0 to 1.2.1 (#​4174)
  • bump benchmark-action/github-action-benchmark from 1.21.0 to 1.22.0 (#​4172)
  • bump actions/setup-go from 6.3.0 to 6.4.0 (#​4170)
  • bump lewagon/wait-on-check-action from 1.5.0 to 1.6.0 (#​4171)
  • bump github/codeql-action from 4.35.0 to 4.35.1 (#​4169)
  • bump dependabot/fetch-metadata from 2.5.0 to 3.0.0 (#​4165)
  • bump codecov/codecov-action from 5.5.3 to 6.0.0 (#​4166)
  • bump github/codeql-action from 4.34.1 to 4.35.0 (#​4164)
  • bump DavidAnson/markdownlint-cli2-action from 22.0.0 to 23.0.0 (#​4161)
  • bump github.com/klauspost/compress from 1.18.4 to 1.18.5 (#​4158)
  • bump github/codeql-action from 4.34.0 to 4.34.1 (#​4159)
  • bump github/codeql-action from 4.33.0 to 4.34.0 (#​4156)
  • bump codecov/codecov-action from 5.5.2 to 5.5.3 (#​4153)
  • bump release-drafter/release-drafter from 7.1.0 to 7.1.1 (#​4152)
  • bump actions/cache from 5.0.3 to 5.0.4 (#​4151)
  • bump release-drafter/release-drafter from 7.0.0 to 7.1.0 (#​4147)
  • bump release-drafter/release-drafter from 6.4.0 to 7.0.0 (#​4142)
  • bump github/codeql-action from 4.32.6 to 4.33.0 (#​4141)
  • bump the golang-modules group with 3 updates (#​4138)
  • bump golang.org/x/sys from 0.41.0 to 0.42.0 in the golang-modules group (#​4136)
  • bump release-drafter/release-drafter from 6.3.0 to 6.4.0 (#​4137)
  • bump github/codeql-action from 4.32.5 to 4.32.6 (#​4131)
  • bump release-drafter/release-drafter from 6.2.0 to 6.3.0 (#​4130)
  • bump actions/setup-node from 6.2.0 to 6.3.0 (#​4129)
  • bump benchmark-action/github-action-benchmark from 1.20.7 to 1.21.0 (#​4126)
  • bump github/codeql-action from 4.32.4 to 4.32.5 (#​4123)

📚 Documentation

  • Key Value Expectation Notice (KeyAuth Middleware) (#​4183)
  • Document array query parameter formats for Query binder (#​4116)

📒 Documentation: https://docs.gofiber.io/next/

💬 Discord: https://gofiber.io/discord

Full Changelog: gofiber/fiber@v3.1.0...v3.2.0

Thank you @​JonasDoe, @​ReneWerner87, @​adrian-lin-1-0-0, @​aviu16, @​gaby, @​ha-sante, @​loderunner, @​meruiden, @​mutantkeyboard and @​sixcolors for making this release possible.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate Bot commented May 6, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 2 additional dependencies were updated

Details:

Package Change
github.com/gofiber/schema v1.7.0 -> v1.7.1
github.com/gofiber/utils/v2 v2.0.3 -> v2.0.4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants