CVE-2026-45045
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/07/2026
Last modified:
10/07/2026
Description
Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers for logging, rate limiting, and access control. This issue is fixed in version 3.3.0 and 2.52.14.
Impact
Base Score 3.x
5.30
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/gofiber/fiber/commit/1403cc8292da3220e9316960b4030cc722a0f396
- https://github.com/gofiber/fiber/commit/33c9501288ab47a429c8b5e701493f0c3c0af37d
- https://github.com/gofiber/fiber/pull/4260
- https://github.com/gofiber/fiber/pull/4495
- https://github.com/gofiber/fiber/releases/tag/v2.52.14
- https://github.com/gofiber/fiber/releases/tag/v3.3.0
- https://github.com/gofiber/fiber/security/advisories/GHSA-gcfq-8gqf-4876



