What is CVE-2024-25124?

CVE-2024-25124 is a critical-severity vulnerability in Gofiber Fiber, classified under Origin Validation Error. CVSS score: 9.4/10. Published 2024-02-21.

How severe is CVE-2024-25124?

Critical severity. CVSS v3 base score is 9.4 out of 10.

Vulnerability in Gofiber Fiber

CVE-2024-25124

Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting…

EPSS: 0.005 (65.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.4 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L.

Affected products

Gofiber Fiber — versions < 2.52.1

Weakness classification (CWE)

References

https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg (x_refsource_CONFIRM)
https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23 (x_refsource_MISC)
https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials (x_refsource_MISC)
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials (x_refsource_MISC)
https://fetch.spec.whatwg.org/#cors-protocol-and-credentials (x_refsource_MISC)
https://github.com/gofiber/fiber/releases/tag/v2.52.1 (x_refsource_MISC)
https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true (x_refsource_MISC)
http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2024-25124?: CVE-2024-25124 is a critical-severity vulnerability in Gofiber Fiber, classified under Origin Validation Error. CVSS score: 9.4/10. Published 2024-02-21.
How severe is CVE-2024-25124?: Critical severity. CVSS v3 base score is 9.4 out of 10.