Vulnerability Report: GO-2023-2115

• CVE-2023-45128, GHSA-94w9-97p3-p368
• Affects: github.com/gofiber/fiber/v2
• Published: Oct 24, 2023

A cross-site request forgery vulnerability in this package can allow an attacker to inject arbitrary values and forge malicious requests on behalf of a user. The attacker may inject arbitrary values without any authentication, or perform various malicious actions on behalf of an authenticated user, potentially compromising the security and integrity of the application. The vulnerability is caused by improper validation and enforcement of CSRF tokens within the application. For 'safe' methods, the token is extracted from the cookie and saved to storage without further validation or sanitization. In addition, the CSRF token is validated against tokens in storage but not associated with a session, nor by using a Double Submit Cookie Method, allowing for token reuse.