CVE-2026-45045

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
08/07/2026
Last modified:
15/07/2026

Description

Fiber is an Express inspired web framework written in Go. Prior to 3.3.0 and 2.52.14, the BalancerForward proxy helper in middleware/proxy/proxy.go uses Header.Add() instead of Header.Set() when injecting X-Real-IP, allowing an attacker-supplied first X-Real-IP value to be forwarded to upstream servers for logging, rate limiting, and access control. This issue is fixed in version 3.3.0 and 2.52.14.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:* 2.52.14 (excluding)
cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:* 3.0.0 (including) 3.3.0 (excluding)