CVE-2026-42554 Gofiber CVE debrief

Who should care

Organizations running Go applications built with Fiber framework versions prior to 2.52.12 or 3.0.0-3.0.x, particularly those using AutoFormat() with user-influenced data. Development teams practicing defense-in-depth for content negotiation handlers. Security teams reviewing Go web application attack surface.

Technical summary

The Go Fiber framework's `AutoFormat()` method selects response formats based on the HTTP `Accept` header. When `text/html` is requested, the method emits raw HTML without escaping, creating an XSS vector when attacker-influenced data reaches the method. The vulnerability is notable because developers calling `AutoFormat()` reasonably expect format-agnostic, safe behavior based on the method name and symmetrical handling of other formats (JSON, XML, etc.). The HTML branch breaks this expectation by emitting unsanitized content.

Defensive priority

medium

Recommended defensive actions

• Upgrade Fiber to version 2.52.12 (for 2.x series) or 3.1.0 (for 3.x series) or later
• Review application handlers that use AutoFormat() to ensure they do not pass untrusted user input directly
• Consider implementing additional output encoding when user-influenced data may reach AutoFormat()
• Monitor application logs for requests with Accept: text/html headers to handlers using AutoFormat()
• If immediate patching is not possible, implement WAF rules to sanitize or block suspicious Accept headers for routes using AutoFormat()

Evidence notes

Official vendor advisory confirms the vulnerability mechanism and affected versions. NVD CPE data confirms version ranges: all versions before 2.52.12, and 3.0.0 through versions before 3.1.0. CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and user interaction required.

Official resources