CVE-2020-15111
MEDIUMFiber < 1.12.6 - CRLF Injection via Attachment Filename
Title source: llmDescription
In Fiber before version 1.12.6, the filename that is given in c.Attachment() (https://docs.gofiber.io/ctx#attachment) is not escaped, and therefore vulnerable for a CRLF injection attack. I.e. an attacker could upload a custom filename and then give the link to the victim. With this filename, the attacker can change the name of the downloaded file, redirect to another site, change the authorization header, etc. A possible workaround is to serialize the input before passing it to ctx.Attachment().
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/gofiber/fiber/security/advisories/GHSA-9cx9-x2gp-9qvh
Patch, Third Party Advisory x_refsource_misc
https://github.com/gofiber/fiber/pull/579/commits/f698b5d5066cfe594102ae252cd58a1fe57cf56f
Scores
CVSS v3
4.2
EPSS
0.0086
EPSS Percentile
53.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Details
CWE
CWE-93
CWE-74
Status
published
Products (2)
gofiber/fiber
< 1.12.6
gofiber/fiber
0 - 1.12.6Go
Published
Jul 20, 2020
Tracked Since
Feb 18, 2026