Path Traversal in Gofiber Fiber

CVE-2026-25891

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber allows a remote attacker to bypass the static middleware sanitizer and read arbitrary files on the server file system on Windows. Th…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.000 (11.1th percentile) — read the EPSS interpretation.

Affected products

Gofiber Fiber — versions >= 3.0.0, < 3.1.0

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/gofiber/fiber/security/advisories/GHSA-m3c2-496v-cw3v (x_refsource_CONFIRM)
https://github.com/gofiber/fiber/pull/4064 (x_refsource_MISC)
https://github.com/gofiber/fiber/commit/59133702301c2ab7b776dd123b474cbd995f2c86 (x_refsource_MISC)