CVE-2024-38513

CRITICAL10.0EPSS 0.33%

Session Middleware Token Injection Vulnerability

Published: 7/1/2024Modified: 10/2/2025
Also known as:GHSA-98j2-3j3p-fw2vGO-2024-2959

Description

A security vulnerability has been identified in the Fiber session middleware where a user can supply their own session_id value, leading to the creation of a session with that key. ## Impact The identified vulnerability is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. ## Patches The issue has been addressed in the latest patch. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. ## Workarounds Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: 1. **Validate Session IDs**: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server. 2. **Session Management**: Regularly rotate session IDs and enforce strict session expiration policies. ## References For more information on session best practices: - [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) Users are encouraged to review these references and take immediate action to secure their applications.

Affected packages (5)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1CRITICAL10.0CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References (5)