Skip to main content

Always-Incorrect Control Flow Implementation

CVE-2023-41338

Severity Medium
Score 5.3/10

Summary

Fiber is an Express-inspired web framework built in the go language. In github.com/gofiber/fiber package versions prior to 2.49.2, it doesn't properly restrict access to localhosts. This issue affects users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` on a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • LOW
  • NONE

CWE-670 - Always-Incorrect Control Flow Implementation

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

Advisory Timeline

  • Published