Go Fiber Cross-Site Scripting Vulnerability in AutoFormat Content Negotiation

A Cross-Site Scripting (CWE-79) vulnerability exists in the Go Fiber web framework, specifically in versions of the 'fiber' package prior to 2.52.12 and 3.1.0. The vulnerability allows remote attackers to inject arbitrary HTML or JavaScript by sending an 'Accept: text/html' header on requests that are processed by the AutoFormat() feature. This issue arises because the framework improperly handles content negotiation, allowing attackers to exploit developer-intended data formatting functions to inject malicious scripts. The vulnerability is present in 'DefaultRes.AutoFormat' for Fiber v3 through 3.1.0 and in 'Ctx.Format' for Fiber v2 through 2.52.12.

Impact

Exploitation of this vulnerability leads to Cross-Site Scripting (XSS) attacks, where injected scripts are executed in the context of the user's browser, potentially causing harm to the user or the application.

Reproduction

To reproduce this vulnerability, create a Go Fiber application that uses the AutoFormat() function to handle requests. Ensure that the application accepts data influenced by the request, such as query parameters. When a request is made with the 'Accept: text/html' header, the AutoFormat() function will process the data without proper escaping, allowing for the injection of HTML or JavaScript. This can be demonstrated by sending a request that includes a script tag in a query parameter, which will be executed when the response is rendered in a browser.

Remediation

Users can upgrade to Go Fiber versions 2.52.12 or 3.1.0 and later, where this vulnerability has been fixed.