CVE-2025-54801: Fiber Crashes in BodyParser Due to Unvalidated Large Slice Index in Decoder

August 5, 2025 (updated August 6, 2025)

When using Fiber’s Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder.

The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash.

References

github.com/advisories/GHSA-qx2q-88mx-vhg7
github.com/gofiber/fiber
github.com/gofiber/fiber/commit/e115c08b8f059a4a031b492aa9eef0712411853d
github.com/gofiber/fiber/security/advisories/GHSA-qx2q-88mx-vhg7
nvd.nist.gov/vuln/detail/CVE-2025-54801

Code Behaviors & Features

Detect and mitigate CVE-2025-54801 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →