CVE-2026-53624
Received Received - Intake

Strict Transport Security Bypass in Fiber Framework

Vulnerability report for CVE-2026-53624, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gofiber fiber 3.4.0
gofiber fiber to 3.4.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in Fiber's helmet middleware causes the Strict-Transport-Security (HSTS) header to never be set even when configured, due to incorrect HTTPS detection. This omission disables HSTS protection, leaving applications vulnerable to SSL stripping attacks, protocol downgrades, and cookie theft over unencrypted HTTP connections.

Since HSTS is a critical security control that enforces HTTPS connections, its absence can lead to exposure of sensitive data in transit. This exposure can impact compliance with security requirements in common standards and regulations such as GDPR and HIPAA, which mandate protection of personal and health data during transmission.

Therefore, the vulnerability undermines the ability of applications using Fiber's helmet middleware to enforce secure connections, potentially leading to non-compliance with these regulations due to increased risk of data interception and man-in-the-middle attacks.

Executive Summary

CVE-2026-53624 is a security vulnerability in the Fiber web framework's helmet middleware, which is responsible for setting security headers. The issue arises because the middleware incorrectly checks the connection protocol using c.Protocol() instead of c.Scheme() to detect HTTPS. Since c.Protocol() returns HTTP protocol versions like "HTTP/1.1" rather than the scheme "http" or "https", the middleware never sets the Strict-Transport-Security (HSTS) header even when configured. This means that HSTS protection is effectively disabled, leaving applications vulnerable to attacks that rely on unencrypted HTTP connections.

The vulnerability was fixed in Fiber version 3.4.0 by updating the HTTPS detection method to use c.Scheme(), improving HSTS header emission logic, and adding validation to prevent misconfigurations such as negative HSTSMaxAge values or conflicting preload directives.

Impact Analysis

This vulnerability can impact you by leaving your web application exposed to man-in-the-middle attacks such as SSL stripping and protocol downgrade attacks. Because the Strict-Transport-Security header is not set, browsers may not enforce HTTPS connections, allowing attackers to intercept or manipulate traffic over unencrypted HTTP.

Consequently, sensitive data transmitted between clients and your server, including cookies and authentication tokens, could be exposed or stolen. This undermines the confidentiality and integrity of your application’s communications.

Detection Guidance

This vulnerability relates to the Fiber web framework's helmet middleware not setting the Strict-Transport-Security (HSTS) header correctly due to improper HTTPS detection. Detection involves verifying if the HSTS header is missing in HTTPS responses when it is expected to be present.

To detect this on your system or network, you can inspect HTTP response headers from your Fiber-based web application to check if the Strict-Transport-Security header is absent despite HSTS being configured.

  • Use curl to make an HTTPS request and check headers: curl -I https://yourdomain.com
  • Look for the presence of the Strict-Transport-Security header in the response. If it is missing, the vulnerability may be present.
  • Alternatively, use tools like nmap with the http-security-headers script: nmap --script http-security-headers -p 443 yourdomain.com

Since the issue is in the middleware code checking c.Protocol() instead of c.Scheme(), you can also review your Fiber application code or middleware version to confirm if it is prior to version 3.4.0 where the fix was applied.

Mitigation Strategies

The primary mitigation is to upgrade the Fiber framework to version 3.4.0 or later, where the vulnerability is fixed by correcting HTTPS detection in the helmet middleware.

Ensure that your helmet middleware configuration uses a positive HSTSMaxAge value and that the middleware is properly setting the Strict-Transport-Security header for HTTPS requests.

  • Update Fiber to v3.4.0 or newer.
  • Verify and correct helmet middleware configuration, ensuring HSTSMaxAge is non-negative and preload directives are correctly set.
  • Test your application to confirm that the Strict-Transport-Security header is present on HTTPS responses.

If immediate upgrade is not possible, consider implementing external measures such as web application firewalls or reverse proxies that enforce HSTS headers until the application is patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53624. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart