Urgent Alert for Developers: Fix the Critical Fiber Go CVE-2024-25124 Vulnerability Now

Developers using the Fiber Go web framework should immediately address a critical vulnerability in the CORS middleware. CVE-2024-25124 (CVSS 9.4) stems from allowing wildcard origins (*) in CORS configurations while simultaneously enabling credentials.

Fiber is a Go web framework built on top of Fasthttp, the fastest HTTP engine for Go. It’s designed to ease things up for fast development with zero memory allocation and performance in mind.

The Problem: Overly Permissive CORS

CORS is a vital mechanism that allows web applications to safely share resources across different domains. Misconfiguring CORS can inadvertently create an open door for attackers. Fiber’s CVE-2024-25124 vulnerability lies in the potential for settings that combine a wildcard origin (“*”) with enabled credentials. This combination contradicts web security best practices and can lead to:

• Unauthorized Data Access: Sensitive user information could be leaked to malicious websites.
• Cross-Site Request Forgery (CSRF): Attackers could trick users into executing harmful actions on your web app.
• Other Web Exploits: This opening creates a launchpad for numerous web-based attacks.

“The CORS middleware allows for insecure configurations that could potentially expose the application to multiple CORS-related vulnerabilities. Specifically, it allows setting the Access-Control-Allow-Origin header to a wildcard (“*”) while also having the Access-Control-Allow-Credentials set to true, which goes against recommended security best practices,” reads the security advisory.

Who’s Affected?

Any application built using Fiber versions earlier than 2.52.1 is vulnerable. If you’re unsure of your version, it’s crucial to upgrade immediately.

Protecting Yourself

• Upgrade, Upgrade, Upgrade!: The fix is already available in Fiber versions 2.52.1 and above.
• Manual Review: Double-check your existing CORS configurations. Never allow a wildcard origin (“*”) while credentials are enabled. Here is a potential solution to ensure the CORS configuration is secure:
   

  func New(config ...Config) fiber.Handler {
      if cfg.AllowCredentials && cfg.AllowOrigins == "*" {
          panic("[CORS] Insecure setup, 'AllowCredentials' is set to true, and 'AllowOrigins' is set to a wildcard.")
      }
      // Return new handler goes below
  }
  
  The middleware will not allow insecure configurations when using `AllowCredentials` and `AllowOrigins`.
• Security Best Practices: Familiarize yourself with secure CORS configurations. The PortSwigger article is an excellent resource to deepen your understanding.