Fiber is a popular web framework for Go, inspired by Express.js, widely used for building web applications and APIs. CVE-2026-25891 identifies a path traversal vulnerability (CWE-22) in Fiber’s static middleware component affecting versions from 3.0.0 up to but not including 3.1.0. The vulnerability allows a remote attacker to craft specially crafted requests that bypass the static middleware's path sanitization checks on Windows operating systems. This bypass enables the attacker to access arbitrary files on the server filesystem outside the intended restricted directory. The root cause is improper validation and limitation of pathname inputs, which fails to prevent directory traversal sequences such as '..\' on Windows. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network. The CVSS 4.0 base score is 7.7 (high), reflecting the ease of exploitation and the high impact on confidentiality. The vulnerability was reserved on 2026-02-06 and published on 2026-02-24. The issue has been fixed in Fiber version 3.1.0 by improving the static middleware’s path sanitization logic to correctly restrict access to files outside the designated directory. No known exploits have been reported in the wild yet, but the risk remains significant for affected deployments. This vulnerability specifically impacts Windows deployments of Fiber, as the path traversal bypass is tied to Windows path handling.

The primary impact of this vulnerability is unauthorized disclosure of sensitive files on the server hosting Fiber applications. Attackers can read arbitrary files such as configuration files, source code, credentials, or other sensitive data stored on the filesystem. This compromises confidentiality and can lead to further attacks such as credential theft, lateral movement, or data exfiltration. Since no authentication is required, any exposed Fiber application running vulnerable versions on Windows is at risk. The integrity and availability of the system are not directly impacted by this vulnerability. However, the breach of confidentiality can have severe consequences including regulatory non-compliance, reputational damage, and financial loss. Organizations using Fiber for web services on Windows servers are particularly vulnerable, especially if static file serving is enabled and accessible externally. The lack of known exploits in the wild suggests limited active exploitation currently, but the ease of exploitation and high impact make timely remediation critical.

1. Upgrade all Fiber deployments to version 3.1.0 or later, where the vulnerability has been patched. 2. If immediate upgrade is not feasible, disable or restrict the use of the static middleware serving files on Windows until patched. 3. Implement strict access controls and network segmentation to limit external access to Fiber applications, especially those serving static files. 4. Employ Web Application Firewalls (WAFs) with rules to detect and block path traversal attempts targeting Fiber applications. 5. Conduct thorough code reviews and security testing of any custom middleware or static file handling logic to ensure proper path sanitization. 6. Monitor logs for suspicious requests containing directory traversal patterns such as '..\' or encoded variants. 7. Educate development and operations teams about secure handling of file paths and the risks of path traversal. 8. Consider deploying runtime application self-protection (RASP) solutions that can detect and block exploitation attempts in real time. These steps go beyond generic advice by focusing on immediate patching, configuration hardening, monitoring, and layered defenses specific to Fiber on Windows environments.