QID 980484
QID 980484: Go (go) Security Update for github.com/gofiber/fiber (GHSA-9cx9-x2gp-9qvh)
Security update has been released for github.com/gofiber/fiber to fix the vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
The filename that is given in [c.Attachment()](https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc.
Solution
This issue has been patched in `v1.12.6` with commit [579](https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f) escaping the filename by default.Workaround:
You could of course serialize the input yourself before passing it to `ctx.Attachment()`, this is actually a good practice by default. But in case you forget, we got you covered
You could of course serialize the input yourself before passing it to `ctx.Attachment()`, this is actually a good practice by default. But in case you forget, we got you covered
Vendor References
- GHSA-9cx9-x2gp-9qvh -
github.com/advisories/GHSA-9cx9-x2gp-9qvh
CVEs related to QID 980484
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-9cx9-x2gp-9qvh | github.com/gofiber/fiber |
github.com/advisories/GHSA-9cx9-x2gp-9qvh |