Fiber Web Framework Out-of-Bounds Slice Allocation Vulnerability in BodyParser

A crash vulnerability has been identified in the Fiber web framework, specifically in versions 2.52.8 and prior. The issue arises when the Ctx.BodyParser function is used to parse form data with large numeric keys that represent slice indices. The underlying schema decoder fails to validate these indices before allocating slices, leading to out-of-bounds allocations. This flaw can cause integer overflows or memory exhaustion, resulting in application panics or crashes. The vulnerability is addressed in version 2.52.9.

Impact

Exploitation of this vulnerability causes the application to panic or crash, leading to a denial-of-service condition. The unvalidated input can cause memory exhaustion, further destabilizing the application.

Reproduction

To reproduce this vulnerability, create a POST request handler in a Fiber application that uses the Ctx.BodyParser method to parse form data. Send a POST request with a large numeric key in the form data, such as 'test.18446744073704'. The application will crash due to the out-of-bounds slice allocation.

Remediation

Users can upgrade to Fiber version 2.52.9 to address this vulnerability.