CVE-2024-25124

CRITICAL EPSS 46.9%
Published Feb 21, 20242y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Feb 21, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Fiber is a web framework written in go. Prior to version 2.52.1, the CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (`*`) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices. The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references. Version 2.52.1 contains a patch for this issue. As a workaround, users may manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, as well as browsers and utilities that enforce CORS policies, are not affected by this.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
46.9% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-346
CWE-942

Affected Products 1

VendorProductVersionRange
gofiberfiber* <2.52.1

References 8

  • blog.portswigger.net http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
    ExploitThird Party Advisory
  • codeql.github.com https://codeql.github.com/codeql-query-help/javascript/js-cors-misconfiguration-for-credentials
    Technical Description
  • developer.mozilla.org https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials
    Technical Description
  • fetch.spec.whatwg.org https://fetch.spec.whatwg.org/#cors-protocol-and-credentials
    Technical Description
  • github.com https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23
    Patch
  • github.com https://github.com/gofiber/fiber/releases/tag/v2.52.1
    Release Notes
  • github.com https://github.com/gofiber/fiber/security/advisories/GHSA-fmg4-x8pw-hjhg
    ExploitVendor Advisory
  • saturncloud.io https://saturncloud.io/blog/cors-cannot-use-wildcard-in-accesscontrolalloworigin-when-credentials-flag-is-true
    Broken Link

Remediation

  • github.com https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23
    Patch