Session Fixation Affecting github.com/gofiber/fiber/v2/middleware/session package, versions >=2.0.0 <2.52.5
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-GOLANG-GITHUBCOMGOFIBERFIBERV2MIDDLEWARESESSION-7413649
- published1 Jul 2024
- disclosed30 Jun 2024
- creditJason McNeil
Introduced: 30 Jun 2024
CVE-2024-38513 Â (opens in a new tab)How to fix?
Upgrade github.com/gofiber/fiber/v2/middleware/session to version 2.52.5 or higher.
Overview
Affected versions of this package are vulnerable to Session Fixation through the session middleware component.
This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks.
Workaround
Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk:
Validate Session IDs: Implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server.
Session Management: Regularly rotate session IDs and enforce strict session expiration policies