GO-2023-2116

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-2116

Import Source

https://vuln.go.dev/ID/GO-2023-2116.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2023-2116

Aliases

Published

2023-10-24T16:57:08Z

Modified

2024-05-20T16:03:47Z

Summary

CSRF token validation vulnerability in github.com/gofiber/fiber/v2

Details

A cross-site request forgery vulnerability can allow an attacker to obtain tokens and forge malicious requests on behalf of a user. This can lead to unauthorized actions being taken on the user's behalf, potentially compromising the security and integrity of the application.

The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. The CSRF token is validated against tokens in storage but was is not tied to the original requestor that generated it, allowing for token reuse.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-2116"
}

References

Affected packages

Go / github.com/gofiber/fiber/v2

Package

Name: github.com/gofiber/fiber/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/gofiber/fiber/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.50.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/gofiber/fiber/v2/middleware/csrf",
            "symbols": [
                "CsrfFromCookie",
                "CsrfFromForm",
                "CsrfFromHeader",
                "CsrfFromParam",
                "CsrfFromQuery",
                "New",
                "configDefault",
                "manager.getRaw",
                "manager.setRaw",
                "newManager"
            ]
        }
    ]
}