A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.
Impact
The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted.
Patches
The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability.
Workarounds
Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk:
Validate Session IDs: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server.
This PR contains the following updates:
v2.52.4->v2.52.5GitHub Vulnerability Alerts
CVE-2024-38513
A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key.
Impact
The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted.
Patches
The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability.
Workarounds
Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk:
References
For more information on session best practices:
Users are encouraged to review these references and take immediate action to secure their applications.
Release Notes
gofiber/fiber (github.com/gofiber/fiber/v2)
### [`v2.52.5`](https://togithub.com/gofiber/fiber/releases/tag/v2.52.5) [Compare Source](https://togithub.com/gofiber/fiber/compare/v2.52.4...v2.52.5) #### ๐ฎ SecurityMiddleware/session: Session Middleware Token Injection Vulnerability - GHSA-98j2-3j3p-fw2v
https://docs.gofiber.io/api/middleware/sessionConfiguration
๐ Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Enabled.
โป Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
Thanks for the PR!
Deployments, as required, will be available below:
Please create PRs in draft mode. Mark as ready to enable:
After merge, new images are deployed in: