CRITICAL🇬🇧 English

CVE-2023-45128

CVSS 10.0v3.1pub. 2023-10-16upd. 2024-11-21

Fiber is an express inspired web framework written in Go. A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the application, which allows an attacker to inject arbitrary values and forge malicious requests on behalf of a user. This vulnerability can allow an attacker to inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. This issue has been addressed in version 2.50.0 and users are advised to upgrade. Users should take additional security measures like captchas or Two-Factor Authentication (2FA) and set Session cookies with SameSite=Lax or SameSite=Secure, and the Secure and HttpOnly attributes as defense in depth measures. There are no known workarounds for this vulnerability.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
  • Gofiber Fiber

    APP
    Gofiber
    < 2.50.0
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2025-66630CRITICAL9.2PL ✓ten sam produkt

Przewidywalne UUID w Fiber v2 — podatność na generowanie słabych identyfikatorów

CVE-2024-38513CRITICAL10.0PL ✓ten sam produkt

Session Fixation w middleware sesji GoFiber Fiber (wersje < 2.52.5)

CVE-2024-25124CRITICAL9.4PL ✓ten sam produkt

Gofiber Fiber: Niebezpieczna konfiguracja CORS middleware (wildcard + credentials)

CVE-2026-25891HIGH7.7ten sam produkt

Fiber is an Express inspired web framework written in Go. A Path Traversal (CWE-22) vulnerability in Fiber all...

CVE-2026-25899HIGH7.5ten sam produkt

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use...