Fiber Cache Middleware Query String Ignored Key Generation Vulnerability

A cache key generation vulnerability has been identified in the Fiber web framework for Go, specifically in versions through 3.1.0. The issue arises in the cache middleware, where the default key generator relies solely on the request path, excluding the query string. This oversight allows requests with identical paths but different query parameters to share a cache key, leading to incorrect cached responses. Such a flaw can cause response mix-ups for endpoints sensitive to query parameters, potentially exposing data meant for different requests.

Impact

This vulnerability can cause responses to be incorrectly mixed for query-dependent endpoints, leading to cache poisoning-like behavior. In real-world scenarios, it may inadvertently leak or corrupt user-specific data if the response is influenced by query parameters.

Reproduction

To reproduce this vulnerability, send a request to a query-dependent endpoint using the default cache middleware. The first request can be made with a query parameter, such as 'id=1', which will result in a cache miss and a response body of '1'. Then, send a second request with a different query parameter, 'id=2'. This request will hit the cache and return the response body '1', instead of the expected '2', demonstrating that the cache key did not account for the query string.

Remediation

Users can update to Fiber version 3.1.1 or later, where this vulnerability is fixed. Additionally, for those using the cache middleware, it's recommended to set a custom key generator that includes the query string or to use a version of Fiber that has this issue addressed.