CVE-2025-54801: 
Wolfi vulnerability analysis and mitigation

Fiber, an Express-inspired web framework written in Go, was found to have a critical vulnerability (CVE-2025-54801) in versions 2.52.8 and below. The vulnerability was discovered and disclosed on August 5, 2025, affecting the framework's BodyParser functionality when handling form data containing large numeric keys representing slice indices (GitHub Advisory).

The vulnerability stems from the framework's Ctx.BodyParser functionality when processing form data with large numeric keys representing slice indices (e.g., test.18446744073704). The underlying schema decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe range. This leads to an out-of-bounds slice allocation, potentially causing integer overflow or memory exhaustion. The vulnerability has been assigned a CVSS v4.0 base score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

When successfully exploited, this vulnerability can cause application crashes and potential denial of service (DoS) through memory exhaustion or server crashes. The lack of defensive checks in the parsing code leads to system instability when processing malicious or malformed input (GitHub Advisory).

The vulnerability has been fixed in version 2.52.9 of the Fiber framework. Users are advised to upgrade to this version or later to address the security issue (GitHub Advisory).