Always-Incorrect Control Flow Implementation
CVE-2023-41338
Summary
Fiber is an Express-inspired web framework built in the go language. In github.com/gofiber/fiber package versions prior to 2.49.2, it doesn't properly restrict access to localhosts. This issue affects users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` on a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-670 - Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
References
Advisory Timeline
- Published