Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-30246
6.5 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): LOW
- Availability impact (A): NONE
Activity log
- Created suggestion
github.com/gofiber/fiber/v3 cache middleware can mix responses across query parameters
Fiber is a web framework for Go. In github.com/gofiber/fiber/v3 versions through 3.1.0, the default key generator in the cache middleware uses only the request path and does not include the query string. As a result, requests for the same path with different query parameters can share a cache key and receive the wrong cached response. This can cause response mix-up for query-dependent endpoints and may expose data intended for a different request. This issue is fixed after version 3.1.0.
References
Affected products
fiber
- ==>= v3.0.0-beta.2, < 3.1.0
Matching in nixpkgs
pkgs.guile-fibers
Concurrent ML-like concurrency for Guile
pkgs.ocamlPackages.fiber
Structured concurrency library
pkgs.ocamlPackages_latest.fiber
Structured concurrency library