CVE-2025-48075

Public Exploit
Fiber panics when fiber.Ctx.BodyParser parses invalid range index

Description

Fiber is an Express-inspired web framework written in Go. Starting in version 2.52.6 and prior to version 2.52.7, `fiber.Ctx.BodyParser` can map flat data to nested slices using `key[idx]value` syntax, but when idx is negative, it causes a panic instead of returning an error stating it cannot process the data. Since this data is user-provided, this could lead to denial of service for anyone relying on this `fiber.Ctx.BodyParser` functionality. Version 2.52.7 fixes the issue.

Category

7.7
CVSS
Severity: High
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.04%
Vendor Advisory github.com
Affected: gofiber fiber
Published at:
Updated at:

References

Link Tags
https://github.com/gofiber/fiber/security/advisories/GHSA-hg3g-gphw-5hhm exploit vendor advisory
https://github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d patch

Frequently Asked Questions

What is the severity of CVE-2025-48075?
CVE-2025-48075 has been scored as a high severity vulnerability.
How to fix CVE-2025-48075?
To fix CVE-2025-48075, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2025-48075 being actively exploited in the wild?
It is possible that CVE-2025-48075 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-48075?
CVE-2025-48075 affects gofiber fiber.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.