Fiber Denial-of-Service Vulnerability via Route Parameter Overflow

Vulnerability

A denial-of-service vulnerability has been identified in the Fiber web framework, specifically in versions 2.52.10 and prior to 3.1.0. This vulnerability allows remote attackers to crash applications by sending requests to routes that include more than 30 parameters. The issue arises from a lack of proper validation during route registration, coupled with an unbounded write to an array during request processing. When a route with excessive parameters is matched, the application experiences a runtime panic, causing a crash.

Impact

Exploitation of this vulnerability leads to a runtime panic and application crash, causing a complete disruption of the service. This can be particularly damaging for public APIs or critical microservices, where such a failure can cascade through the system, disrupt auto-scaling processes, and create alert fatigue by flooding logs with error messages.

Reproduction

To reproduce this vulnerability, first register a route that includes more than 30 parameters. This can be done by appending parameter placeholders to the route path. Once the route is registered, send an HTTP request that matches the route and includes values for all the parameters. The server will crash during the request processing, resulting in a runtime panic due to an index out-of-range error.

Remediation

Users can update to Fiber version 2.52.12 or 3.1.0, both of which patch this vulnerability. Additionally, routes can be audited to ensure they do not exceed 30 parameters, dynamic routing can be disabled or validated, and aggressive rate limiting can be deployed to mitigate the impact of potential denial-of-service attacks.

Added: Feb 24, 2026, 9:18 PM
Updated: Feb 24, 2026, 11:44 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
2.5
exploitability
9.7
remediation
8.3
relevance
2.1
threat
6.4
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.