CVE-2024-25124 Overview
CVE-2024-25124 is a critical security vulnerability in the Fiber web framework for Go that allows insecure CORS (Cross-Origin Resource Sharing) configurations. The CORS middleware permits setting the Access-Control-Allow-Origin header to a wildcard (*) while simultaneously having Access-Control-Allow-Credentials set to true. This configuration directly violates security best practices and can expose applications to multiple CORS-related attacks.
Critical Impact
Applications using vulnerable versions of GoFiber may inadvertently allow unauthorized cross-origin requests with credentials, potentially leading to unauthorized access to sensitive user data, session hijacking, and other credential-based attacks.
Affected Products
- GoFiber Fiber versions prior to v2.52.1
- Applications using the CORS middleware with wildcard origins and credentials enabled
- Go applications built with vulnerable Fiber framework releases
Discovery Timeline
- 2024-02-21 - CVE-2024-25124 published to NVD
- 2025-02-05 - Last updated in NVD database
Technical Details for CVE-2024-25124
Vulnerability Analysis
This vulnerability exists in the CORS middleware implementation within the GoFiber web framework. The core issue is that the middleware fails to enforce the CORS specification requirement that prohibits combining wildcard origins with credential support. According to the WHATWG Fetch CORS Specification, when Access-Control-Allow-Credentials is set to true, the Access-Control-Allow-Origin header must explicitly specify the requesting origin rather than using a wildcard.
The vulnerability is classified under CWE-346 (Origin Validation Error), as the middleware does not properly validate or restrict origin configurations when credentials are enabled. While browsers themselves will block these insecure responses, the misconfiguration at the server level exposes the application to attacks from non-browser clients or scenarios where CORS policies are not strictly enforced.
Root Cause
The root cause lies in the CORS middleware's configuration validation logic. Prior to the patch, the middleware allowed developers to configure AllowOrigins: "*" and AllowCredentials: true simultaneously without any warning or enforcement. The AllowOriginsFunc callback also lacked proper documentation and validation to prevent returning wildcard patterns when credentials were enabled.
The patch introduces validation to ensure that when AllowCredentials is set to true, wildcard origins will not have the access-control-allow-credentials header set to true, effectively preventing the insecure configuration from being applied.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this misconfiguration to perform cross-origin requests that include credentials (cookies, HTTP authentication, or client-side certificates) to the vulnerable application. This enables various attacks including:
- Cross-Origin Data Theft: Stealing sensitive user information through malicious websites
- Session Hijacking: Capturing session tokens sent with credentialed requests
- CSRF Bypass: Circumventing CSRF protections by making authenticated cross-origin requests
- Privilege Escalation: Performing actions on behalf of authenticated users
// Security patch in middleware/cors/cors.go
// Source: https://github.com/gofiber/fiber/commit/f0cd3b44b086544a37886232d0530601f2406c23
Next func(c *fiber.Ctx) bool
// AllowOriginsFunc defines a function that will set the 'access-control-allow-origin'
- // response header to the 'origin' request header when returned true.
+ // response header to the 'origin' request header when returned true. This allows for
+ // dynamic evaluation of allowed origins. Note if AllowCredentials is true, wildcard origins
+ // will be not have the 'access-control-allow-credentials' header set to 'true'.
//
// Optional. Default: nil
AllowOriginsFunc func(origin string) bool
- // AllowOrigin defines a list of origins that may access the resource.
+ // AllowOrigin defines a comma separated list of origins that may access the resource.
//
// Optional. Default value "*"
AllowOrigins string
Detection Methods for CVE-2024-25124
Indicators of Compromise
- HTTP responses containing both Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true headers simultaneously
- Unusual cross-origin requests from unknown domains to authenticated endpoints in application logs
- Unexpected session activity or data access patterns that may indicate cross-origin credential theft
- Error logs indicating CORS policy violations from legitimate browsers attempting to enforce proper security
Detection Strategies
- Implement HTTP response header monitoring to detect the insecure header combination of wildcard CORS origins with credentials enabled
- Deploy static code analysis using tools like CodeQL to identify CORS misconfigurations in source code
- Review GoFiber application dependencies to verify that github.com/gofiber/fiber/v2 is at version 2.52.1 or later
- Configure web application firewalls (WAFs) to alert on or block responses with the insecure CORS header combination
Monitoring Recommendations
- Enable detailed logging of CORS-related headers on all API endpoints handling authenticated requests
- Set up alerts for cross-origin requests originating from untrusted or unexpected domains
- Monitor for anomalous patterns of data exfiltration that could indicate exploitation of CORS vulnerabilities
- Implement regular dependency scanning to detect outdated GoFiber versions in CI/CD pipelines
How to Mitigate CVE-2024-25124
Immediate Actions Required
- Upgrade GoFiber to version 2.52.1 or later immediately by running go get github.com/gofiber/fiber/v2@v2.52.1
- Audit all CORS middleware configurations to ensure wildcard origins are not combined with credential support
- If immediate upgrade is not possible, manually validate CORS configurations to prevent the insecure combination
- Review application logs for signs of potential exploitation before and during the patching process
Patch Information
GoFiber has released version 2.52.1 which contains a fix for this vulnerability. The patch modifies the CORS middleware to prevent the access-control-allow-credentials header from being set to true when wildcard origins are configured. The fix can be found in commit f0cd3b44b086544a37886232d0530601f2406c23. For complete details, refer to the GitHub Security Advisory GHSA-fmg4-x8pw-hjhg and the release notes for v2.52.1.
Workarounds
- Manually validate all CORS configurations to ensure AllowOrigins does not contain * when AllowCredentials is set to true
- Replace wildcard origins with an explicit allowlist of trusted domains when credentials are required
- Implement a custom AllowOriginsFunc that validates origins against a secure allowlist before returning true
- Consider disabling AllowCredentials entirely if cross-origin credential sharing is not a business requirement
# Configuration example
# Update GoFiber to patched version
go get github.com/gofiber/fiber/v2@v2.52.1
# Verify the installed version
go list -m github.com/gofiber/fiber/v2
# Example secure CORS configuration in your application:
# app.Use(cors.New(cors.Config{
# AllowOrigins: "https://trusted-domain.com,https://another-trusted.com",
# AllowCredentials: true,
# AllowMethods: "GET,POST,PUT,DELETE",
# }))
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
