Summary
Fiber has Insecure CORS Configuration, Allowing Wildcard Origin with Credentials
The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard ("*") while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices.
Proof of Concept
The code in cors.go allows setting a wildcard in the AllowOrigins while having AllowCredentials set to true, which could lead to various vulnerabilities.
Potential Solution
Here is a potential solution to ensure the CORS configuration is secure:
func New(config ...Config) fiber.Handler {
if cfg.AllowCredentials && cfg.AllowOrigins == "*" {
panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
}
// Return new handler goes below
}
The middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.
Workarounds
For the meantime, users are advised to manually validate the CORS configurations in their implementation to ensure that they do not allow a wildcard origin when credentials are enabled. The browser fetch api, browsers and utilities that enforce CORS policies are not affected by this.
References
MDN Web Docs on CORS Errors
CodeQL on CORS Misconfiguration
PortSwigger on Exploiting CORS Misconfigurations
WhatWG CORS protocol and credentials
Impact
The impact of this misconfiguration is high as it can lead to unauthorized access to sensitive user data and expose the system to various types of attacks listed in the PortSwigger article linked in the references.
CVE-2024-25124 has a CVSS score of 9.4 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.52.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2024-25124? CVE-2024-25124 is a critical-severity security vulnerability in github.com/gofiber/fiber/v2 (go), affecting versions < 2.52.1. It is fixed in 2.52.1.
- How severe is CVE-2024-25124? CVE-2024-25124 has a CVSS score of 9.4 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/gofiber/fiber/v2 are affected by CVE-2024-25124? github.com/gofiber/fiber/v2 (go) versions < 2.52.1 is affected.
- Is there a fix for CVE-2024-25124? Yes. CVE-2024-25124 is fixed in 2.52.1. Upgrade to this version or later.
- Is CVE-2024-25124 exploitable, and should I be worried? Whether CVE-2024-25124 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2024-25124 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2024-25124? Upgrade
github.com/gofiber/fiber/v2to 2.52.1 or later.