# REPRO-2026-00157: Fiber v3: cache middleware key collision leaks responses across different query strings

## Summary
Status: published
Severity: medium
Type: security
Confidence: Unknown

## Identifiers
REPRO ID: REPRO-2026-00157
GHSA: GHSA-35hp-hqmv-8qg8
CVE: CVE-2026-30246

## Package
Name: github.com/gofiber/fiber/v3
Ecosystem: go
Affected: <= 3.1.0
Fixed: 3.2.0

## Root Cause
# RCA Report: CVE-2026-30246 — Fiber v3 Cache Middleware Key Collision

## Summary

In `github.com/gofiber/fiber/v3` versions `<= 3.1.0`, the default `KeyGenerator` of the `cache` middleware returns only `c.Path()`, ignoring the query string and all other request dimensions. This causes cache key collisions for requests to the same path with different query parameters (e.g., `/?id=1` vs `/?id=2`). The second request receives the first request's cached response, leading to cross-user information disclosure and cache confusion (CWE-200 / CWE-524).

## Impact

- **Package**: `github.com/gofiber/fiber/v3` (Go module)
- **Affected versions**: `<= 3.1.0`
- **Fixed version**: `3.2.0`
- **Severity**: Medium (CVSS 3.1 base 6.5)
- **Consequences**: Any application using the default cache middleware without a custom `KeyGenerator` is vulnerable to cache confusion. Responses tailored to one user's query parameters may be leaked to another user requesting the same path with different parameters.

## Root Cause

The vulnerable code in `middleware/cache/config.go` at v3.1.0 defines the default `KeyGenerator` as:

```go
KeyGenerator: func(c fiber.Ctx) string {
    return utils.CopyString(c.Path())
},
```

In `middleware/cache/cache.go`, the cache lookup key is built as:

```go
baseKey := cfg.KeyGenerator(c) + "_" + requestMethod
```

Because `c.Path()` returns only the URL path without the query string, requests to `/?id=1` and `/?id=2` both resolve to the same cache key (`/_GET`). The second request therefore hits the cached entry from the first request and receives the wrong response body.

The fix in v3.2.0 (commits `9a0d12c07ed895b84c72987f9288b04137afe5de` and `050ff1ff18511c1475b8ec627460216aaec627460216aaecddd4e`) completely rewrites the default key generator (`defaultKeyGenerator`) to include:
- HTTP method
- Escaped path (preventing delimiter injection)
- Canonical query string (sorted, with bounds to prevent DoS)
- Selected representation headers (`Accept`, `Accept-Encoding`, `Accept-Language`)
- Optional cookie dimensions

This ensures requests with different query parameters produce distinct cache keys, eliminating the collision.

## Reproduction Steps

1. Run `repro/reproduction_steps.sh`.
2. The script creates a scratch Go module, installs Fiber v3.1.0 (vulnerable) and v3.2.0 (fixed) separately, and for each version:
   - Builds a small Fiber server with the default `cache.New()` middleware.
   - Registers a handler on `/` that returns the `id` query parameter.
   - Issues `GET /?id=1` followed by `GET /?id=2`.
   - Captures the two response bodies to `logs/vulnerable_output.txt` and `logs/fixed_output.txt`.
3. **Expected evidence**:
   - **Vulnerable (v3.1.0)**: both responses are `1` (the second request hits the cache entry from the first because the query string is ignored in the key).
   - **Fixed (v3.2.0)**: responses are `1` then `2` (each request gets its own cache key because the query string is included).

## Evidence

- `logs/vulnerable_output.txt`:
  ```
  1
  1
  ```
- `logs/fixed_output.txt`:
  ```
  1
  2
  ```
- `logs/summary.txt`: contains the full run output with confirmation messages.
- `repro/runtime_manifest.json`: structured evidence with request/response pairs and verdict.

## Recommendations / Next Steps

1. **Upgrade immediately** to `github.com/gofiber/fiber/v3@v3.2.0` or later.
2. **If a custom `KeyGenerator` is in use**, audit it to ensure query strings, headers, or other user-specific dimensions are incorporated into the key.
3. **Regression test**: add an integration test that issues two requests to the same path with different query parameters and asserts distinct response bodies when caching is enabled.

## Additional Notes

- **Idempotency**: `repro/reproduction_steps.sh` was executed twice consecutively with identical results, confirming idempotency.
- **Edge cases**: The vulnerability is present regardless of the number or names of query parameters, as long as the path component remains identical. The default cache middleware only caches `GET` and `HEAD` requests, so other HTTP methods are not affected by this specific key collision.


## Reproduction Details
Reproduced: 2026-05-23T06:41:54.495Z
Duration: 1631 seconds
Tool calls: 116
Turns: 106
Handoffs: 2


## Quick Verification
Run one of these commands to verify locally:

    pruva-verify REPRO-2026-00157
    pruva-verify GHSA-35hp-hqmv-8qg8
    pruva-verify CVE-2026-30246

Or open in GitHub Codespaces (zero-friction, auto-runs):

    https://github.com/codespaces/new?ref=repro/REPRO-2026-00157&repo=N3mes1s/pruva-sandbox

Or download and run the script manually:

    curl -O https://api.pruva.dev/v1/reproductions/REPRO-2026-00157/artifacts/repro/reproduction_steps.sh
    chmod +x reproduction_steps.sh
    ./reproduction_steps.sh

WARNING: Run in a sandboxed environment. This exploits a real vulnerability.

## References
- GitHub Advisory: https://github.com/advisories/GHSA-35hp-hqmv-8qg8
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-30246


## Artifacts
- repro/rca_report.md (analysis, 4144 bytes)
- repro/reproduction_steps.sh (reproduction_script, 5043 bytes)
- vuln_variant/rca_report.md (analysis, 7664 bytes)
- vuln_variant/reproduction_steps.sh (reproduction_script, 7042 bytes)
- bundle/context.json (other, 3039 bytes)
- bundle/metadata.json (other, 741 bytes)
- bundle/ticket.md (ticket, 3111 bytes)
- repro/runtime_manifest.json (other, 456 bytes)
- repro/validation_verdict.json (other, 1001 bytes)
- vuln_variant/fiber_repo/go.mod (other, 926 bytes)
- vuln_variant/fiber_repo/req.go (other, 37850 bytes)
- vuln_variant/fiber_repo/constants.go (other, 18269 bytes)
- vuln_variant/fiber_repo/register.go (other, 4822 bytes)
- vuln_variant/fiber_repo/redirect_msgp.go (other, 6625 bytes)
- vuln_variant/fiber_repo/log/log.go (other, 2909 bytes)
- vuln_variant/fiber_repo/log/default.go (other, 9925 bytes)
- vuln_variant/fiber_repo/log/default_test.go (other, 17813 bytes)
- vuln_variant/fiber_repo/log/context_test.go (other, 13085 bytes)
- vuln_variant/fiber_repo/log/context.go (other, 9337 bytes)
- vuln_variant/fiber_repo/log/fiberlog_test.go (other, 3752 bytes)
- vuln_variant/fiber_repo/log/fiberlog.go (other, 3896 bytes)
- vuln_variant/fiber_repo/.gitattributes (other, 517 bytes)
- vuln_variant/fiber_repo/adapter.go (other, 7190 bytes)
- vuln_variant/fiber_repo/errors_internal.go (other, 427 bytes)
- vuln_variant/fiber_repo/addon/retry/config_test.go (other, 1771 bytes)
- vuln_variant/fiber_repo/addon/retry/exponential_backoff.go (other, 2136 bytes)
- vuln_variant/fiber_repo/addon/retry/README.md (documentation, 3117 bytes)
- vuln_variant/fiber_repo/addon/retry/exponential_backoff_test.go (other, 4142 bytes)
- vuln_variant/fiber_repo/addon/retry/config.go (other, 1690 bytes)
- vuln_variant/fiber_repo/helpers.go (other, 30589 bytes)
- vuln_variant/fiber_repo/mount.go (other, 6954 bytes)
- vuln_variant/fiber_repo/ctx_interface_gen.go (other, 27583 bytes)
- vuln_variant/fiber_repo/app_integration_test.go (other, 37282 bytes)
- vuln_variant/fiber_repo/Makefile (other, 2569 bytes)
- vuln_variant/fiber_repo/middleware/adaptor/adaptor.go (other, 9613 bytes)
- vuln_variant/fiber_repo/middleware/adaptor/adaptor_test.go (other, 45272 bytes)
- vuln_variant/fiber_repo/middleware/skip/skip_test.go (other, 1427 bytes)
- vuln_variant/fiber_repo/middleware/skip/skip.go (other, 479 bytes)
- vuln_variant/fiber_repo/middleware/sse/constants.go (other, 61 bytes)
- vuln_variant/fiber_repo/middleware/sse/event.go (other, 4432 bytes)
- vuln_variant/fiber_repo/middleware/sse/sse_test.go (other, 14989 bytes)
- vuln_variant/fiber_repo/middleware/sse/sse.go (other, 5300 bytes)
- vuln_variant/fiber_repo/middleware/sse/config.go (other, 1599 bytes)
- vuln_variant/fiber_repo/middleware/cache/cache_security_test.go (other, 19442 bytes)
- vuln_variant/fiber_repo/middleware/cache/manager_msgp.go (other, 23025 bytes)
- vuln_variant/fiber_repo/middleware/cache/cache_test.go (other, 165373 bytes)
- vuln_variant/fiber_repo/middleware/cache/manager_msgp_test.go (other, 4462 bytes)
- vuln_variant/fiber_repo/middleware/cache/manager_test.go (other, 1092 bytes)
- vuln_variant/fiber_repo/middleware/cache/cache.go (other, 44772 bytes)
- vuln_variant/fiber_repo/middleware/cache/manager.go (other, 5741 bytes)
- vuln_variant/fiber_repo/middleware/cache/heap.go (other, 3039 bytes)
- vuln_variant/fiber_repo/middleware/cache/config.go (other, 6797 bytes)
- vuln_variant/fiber_repo/middleware/basicauth/basicauth_test.go (other, 21096 bytes)
- vuln_variant/fiber_repo/middleware/basicauth/basicauth.go (other, 4159 bytes)
- vuln_variant/fiber_repo/middleware/basicauth/config.go (other, 8915 bytes)
- vuln_variant/fiber_repo/middleware/envvar/envvar_test.go (other, 4352 bytes)
- vuln_variant/fiber_repo/middleware/envvar/envvar.go (other, 1438 bytes)
- vuln_variant/fiber_repo/middleware/envvar/config.go (other, 495 bytes)
- vuln_variant/fiber_repo/middleware/static/static_test.go (other, 48193 bytes)
- vuln_variant/fiber_repo/middleware/static/static.go (other, 8787 bytes)
- vuln_variant/fiber_repo/middleware/static/config.go (other, 2413 bytes)
- vuln_variant/fiber_repo/middleware/paginate/paginate_test.go (other, 31202 bytes)
- vuln_variant/fiber_repo/middleware/paginate/paginate.go (other, 3222 bytes)
- vuln_variant/fiber_repo/middleware/paginate/page_info.go (other, 5322 bytes)
- vuln_variant/fiber_repo/middleware/paginate/config.go (other, 2618 bytes)
- vuln_variant/fiber_repo/middleware/pprof/pprof.go (other, 2535 bytes)
- vuln_variant/fiber_repo/middleware/pprof/pprof_test.go (other, 4981 bytes)
- vuln_variant/fiber_repo/middleware/pprof/config.go (other, 864 bytes)
- vuln_variant/fiber_repo/middleware/helmet/helmet.go (other, 2318 bytes)
- vuln_variant/fiber_repo/middleware/helmet/helmet_test.go (other, 9492 bytes)
- vuln_variant/fiber_repo/middleware/helmet/config.go (other, 3680 bytes)
- vuln_variant/fiber_repo/middleware/etag/etag_test.go (other, 7010 bytes)
- vuln_variant/fiber_repo/middleware/etag/etag.go (other, 2960 bytes)
- vuln_variant/fiber_repo/middleware/etag/config.go (other, 1139 bytes)
- vuln_variant/fiber_repo/middleware/expvar/expvar_test.go (other, 2464 bytes)
- vuln_variant/fiber_repo/middleware/expvar/expvar.go (other, 723 bytes)
- vuln_variant/fiber_repo/middleware/expvar/config.go (other, 586 bytes)
- vuln_variant/fiber_repo/middleware/favicon/favicon_test.go (other, 6397 bytes)
- vuln_variant/fiber_repo/middleware/favicon/favicon.go (other, 2557 bytes)
- vuln_variant/fiber_repo/middleware/favicon/config.go (other, 1752 bytes)
- vuln_variant/fiber_repo/middleware/session/config_test.go (other, 1600 bytes)
- vuln_variant/fiber_repo/middleware/session/middleware.go (other, 7678 bytes)
- vuln_variant/fiber_repo/middleware/session/store.go (other, 7548 bytes)
- vuln_variant/fiber_repo/middleware/session/data_test.go (other, 6994 bytes)
- vuln_variant/fiber_repo/middleware/session/session.go (other, 14197 bytes)
- vuln_variant/fiber_repo/middleware/session/session_test.go (other, 44606 bytes)
- vuln_variant/fiber_repo/middleware/session/store_test.go (other, 5831 bytes)
- vuln_variant/fiber_repo/middleware/session/middleware_test.go (other, 19817 bytes)
- vuln_variant/fiber_repo/middleware/session/data.go (other, 2553 bytes)
- vuln_variant/fiber_repo/middleware/session/data_msgp_test.go (other, 75 bytes)
- vuln_variant/fiber_repo/middleware/session/data_msgp.go (other, 75 bytes)
- vuln_variant/fiber_repo/middleware/session/config.go (other, 4374 bytes)
- vuln_variant/fiber_repo/middleware/recover/recover_test.go (other, 2677 bytes)
- vuln_variant/fiber_repo/middleware/recover/recover.go (other, 1203 bytes)
- vuln_variant/fiber_repo/middleware/recover/config.go (other, 1417 bytes)
- vuln_variant/fiber_repo/middleware/limiter/limiter_fixed.go (other, 3521 bytes)
- vuln_variant/fiber_repo/middleware/limiter/limiter.go (other, 1073 bytes)
- vuln_variant/fiber_repo/middleware/limiter/manager_msgp.go (other, 3472 bytes)
- vuln_variant/fiber_repo/middleware/limiter/manager_msgp_test.go (other, 2098 bytes)
- vuln_variant/fiber_repo/middleware/limiter/limiter_sliding.go (other, 6188 bytes)
- vuln_variant/fiber_repo/middleware/limiter/manager.go (other, 2736 bytes)
- vuln_variant/fiber_repo/middleware/limiter/config.go (other, 3816 bytes)
- vuln_variant/fiber_repo/middleware/limiter/limiter_test.go (other, 49993 bytes)
- vuln_variant/fiber_repo/middleware/hostauthorization/hostauthorization_test.go (other, 21230 bytes)
- vuln_variant/fiber_repo/middleware/hostauthorization/config.go (other, 2021 bytes)
- vuln_variant/fiber_repo/middleware/hostauthorization/hostauthorization.go (other, 5643 bytes)
- vuln_variant/fiber_repo/middleware/earlydata/earlydata_test.go (other, 6378 bytes)
- vuln_variant/fiber_repo/middleware/earlydata/earlydata.go (other, 1213 bytes)
- vuln_variant/fiber_repo/middleware/earlydata/config.go (other, 1707 bytes)
- vuln_variant/fiber_repo/middleware/healthcheck/healthcheck.go (other, 1317 bytes)
- vuln_variant/fiber_repo/middleware/healthcheck/healthcheck_test.go (other, 12794 bytes)
- vuln_variant/fiber_repo/middleware/healthcheck/config.go (other, 2213 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/response_msgp_test.go (other, 2306 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/idempotency.go (other, 4868 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/response.go (other, 561 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/locker_test.go (other, 2803 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/response_msgp.go (other, 6282 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/idempotency_test.go (other, 13405 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/locker.go (other, 1374 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/config.go (other, 3330 bytes)
- vuln_variant/fiber_repo/middleware/idempotency/stub_test.go (other, 1771 bytes)
- vuln_variant/fiber_repo/middleware/responsetime/responsetime.go (other, 494 bytes)
- vuln_variant/fiber_repo/middleware/responsetime/responsetime_test.go (other, 2022 bytes)
- vuln_variant/fiber_repo/middleware/responsetime/config.go (other, 838 bytes)
- vuln_variant/fiber_repo/middleware/encryptcookie/encryptcookie.go (other, 1966 bytes)
- vuln_variant/fiber_repo/middleware/encryptcookie/config_test.go (other, 803 bytes)
- vuln_variant/fiber_repo/middleware/encryptcookie/utils.go (other, 3000 bytes)
- vuln_variant/fiber_repo/middleware/encryptcookie/encryptcookie_test.go (other, 19879 bytes)
- vuln_variant/fiber_repo/middleware/encryptcookie/config.go (other, 1838 bytes)
- vuln_variant/fiber_repo/middleware/keyauth/keyauth.go (other, 3790 bytes)
- vuln_variant/fiber_repo/middleware/keyauth/config_test.go (other, 2876 bytes)
- vuln_variant/fiber_repo/middleware/keyauth/keyauth_test.go (other, 36091 bytes)
- vuln_variant/fiber_repo/middleware/keyauth/config.go (other, 4882 bytes)
- vuln_variant/fiber_repo/middleware/logger/utils.go (other, 2533 bytes)
- vuln_variant/fiber_repo/middleware/logger/logger_test.go (other, 41252 bytes)
- vuln_variant/fiber_repo/middleware/logger/logger.go (other, 4017 bytes)
- vuln_variant/fiber_repo/middleware/logger/format.go (other, 1028 bytes)
- vuln_variant/fiber_repo/middleware/logger/data.go (other, 517 bytes)
- vuln_variant/fiber_repo/middleware/logger/errors.go (other, 1348 bytes)
- vuln_variant/fiber_repo/middleware/logger/config.go (other, 5710 bytes)
- vuln_variant/fiber_repo/middleware/logger/errors_test.go (other, 872 bytes)
- vuln_variant/fiber_repo/middleware/logger/default_logger.go (other, 4773 bytes)
- vuln_variant/fiber_repo/middleware/logger/context_tag.go (other, 2363 bytes)
- vuln_variant/fiber_repo/middleware/logger/tags.go (other, 9243 bytes)
- vuln_variant/fiber_repo/middleware/cors/utils.go (other, 3208 bytes)
- vuln_variant/fiber_repo/middleware/cors/utils_test.go (other, 11265 bytes)
- vuln_variant/fiber_repo/middleware/cors/cors_test.go (other, 51701 bytes)
- vuln_variant/fiber_repo/middleware/cors/config.go (other, 3889 bytes)
- vuln_variant/fiber_repo/middleware/cors/cors.go (other, 8210 bytes)
- vuln_variant/fiber_repo/middleware/proxy/proxy.go (other, 7689 bytes)
- vuln_variant/fiber_repo/middleware/proxy/proxy_test.go (other, 31275 bytes)
- vuln_variant/fiber_repo/middleware/proxy/config.go (other, 2558 bytes)
- vuln_variant/fiber_repo/middleware/rewrite/rewrite.go (other, 1194 bytes)
- vuln_variant/fiber_repo/middleware/rewrite/rewrite_test.go (other, 9212 bytes)
- vuln_variant/fiber_repo/middleware/rewrite/config.go (other, 860 bytes)
- vuln_variant/fiber_repo/middleware/requestid/requestid_test.go (other, 6960 bytes)
- vuln_variant/fiber_repo/middleware/requestid/requestid.go (other, 2269 bytes)
- vuln_variant/fiber_repo/middleware/requestid/config.go (other, 1182 bytes)
- vuln_variant/fiber_repo/middleware/compress/compress_test.go (other, 25309 bytes)
- vuln_variant/fiber_repo/middleware/compress/config.go (other, 1248 bytes)
- vuln_variant/fiber_repo/middleware/compress/compress.go (other, 3075 bytes)
- vuln_variant/fiber_repo/middleware/redirect/redirect.go (other, 1482 bytes)
- vuln_variant/fiber_repo/middleware/redirect/redirect_test.go (other, 7266 bytes)
- vuln_variant/fiber_repo/middleware/redirect/config.go (other, 1211 bytes)
- vuln_variant/fiber_repo/middleware/timeout/timeout.go (other, 5910 bytes)
- vuln_variant/fiber_repo/middleware/timeout/timeout_test.go (other, 15052 bytes)
- vuln_variant/fiber_repo/middleware/timeout/config.go (other, 1218 bytes)
- vuln_variant/fiber_repo/middleware/csrf/helpers.go (other, 3879 bytes)
- vuln_variant/fiber_repo/middleware/csrf/config_test.go (other, 10555 bytes)
- vuln_variant/fiber_repo/middleware/csrf/token.go (other, 288 bytes)
- vuln_variant/fiber_repo/middleware/csrf/csrf_test.go (other, 77307 bytes)
- vuln_variant/fiber_repo/middleware/csrf/helpers_test.go (other, 8861 bytes)
- vuln_variant/fiber_repo/middleware/csrf/storage_manager_msgp_test.go (other, 2235 bytes)
- vuln_variant/fiber_repo/middleware/csrf/session_manager.go (other, 2372 bytes)
- vuln_variant/fiber_repo/middleware/csrf/csrf.go (other, 13169 bytes)
- vuln_variant/fiber_repo/middleware/csrf/storage_manager_msgp.go (other, 1721 bytes)
- vuln_variant/fiber_repo/middleware/csrf/storage_manager.go (other, 2537 bytes)
- vuln_variant/fiber_repo/middleware/csrf/config.go (other, 6990 bytes)
- vuln_variant/fiber_repo/redirect.go (other, 10058 bytes)
- vuln_variant/fiber_repo/shared_state_test.go (other, 21802 bytes)
- vuln_variant/fiber_repo/services.go (other, 5289 bytes)
- vuln_variant/fiber_repo/path_testcases_test.go (other, 29369 bytes)
- vuln_variant/fiber_repo/res.go (other, 33779 bytes)
- vuln_variant/fiber_repo/.github/SECURITY.md (documentation, 2566 bytes)
- vuln_variant/fiber_repo/.github/pull_request_template.md (documentation, 2819 bytes)
- vuln_variant/fiber_repo/.github/copilot-instructions.md (documentation, 404 bytes)
- vuln_variant/fiber_repo/.github/copilot-setup-steps.yml (other, 586 bytes)
- vuln_variant/fiber_repo/.github/.hound.yml (other, 24 bytes)
- vuln_variant/fiber_repo/.github/FUNDING.yml (other, 435 bytes)
- vuln_variant/fiber_repo/.github/ISSUE_TEMPLATE/maintenance-task.yaml (other, 2174 bytes)
- vuln_variant/fiber_repo/.github/ISSUE_TEMPLATE/config.yml (other, 28 bytes)
- vuln_variant/fiber_repo/.github/ISSUE_TEMPLATE/feature-request.yaml (other, 3060 bytes)
- vuln_variant/fiber_repo/.github/ISSUE_TEMPLATE/question.yaml (other, 1999 bytes)
- vuln_variant/fiber_repo/.github/ISSUE_TEMPLATE/bug-report.yaml (other, 3160 bytes)
- vuln_variant/fiber_repo/.github/labeler.yml (other, 215 bytes)
- vuln_variant/fiber_repo/.github/dependabot.yml (other, 1024 bytes)
- vuln_variant/fiber_repo/.github/README.md (documentation, 36433 bytes)
- vuln_variant/fiber_repo/.github/CODEOWNERS (other, 23 bytes)
- vuln_variant/fiber_repo/.github/index.html (other, 214 bytes)
- vuln_variant/fiber_repo/.github/workflows/benchmark.yml (other, 4463 bytes)
- vuln_variant/fiber_repo/.github/workflows/lint.yml (other, 314 bytes)
- vuln_variant/fiber_repo/.github/workflows/modernize.yml (other, 860 bytes)
- vuln_variant/fiber_repo/.github/workflows/after-release.yml (other, 1315 bytes)
- vuln_variant/fiber_repo/.github/workflows/markdown.yml (other, 569 bytes)
- vuln_variant/fiber_repo/.github/workflows/sync-docs.yml (other, 1043 bytes)
- vuln_variant/fiber_repo/.github/workflows/dependabot-on-demand.yml (other, 287 bytes)
- vuln_variant/fiber_repo/.github/workflows/update-version.yml (other, 3640 bytes)
- vuln_variant/fiber_repo/.github/workflows/cleanup-release-draft.yml (other, 534 bytes)
- vuln_variant/fiber_repo/.github/workflows/move-closed-milestone-items.yml (other, 4429 bytes)
- vuln_variant/fiber_repo/.github/workflows/dependabot_automerge.yml (other, 1347 bytes)
- vuln_variant/fiber_repo/.github/workflows/vulncheck.yml (other, 777 bytes)
- vuln_variant/fiber_repo/.github/workflows/release-drafter.yml (other, 340 bytes)
- vuln_variant/fiber_repo/.github/workflows/test.yml (other, 1622 bytes)
- vuln_variant/fiber_repo/.github/workflows/spell-check.yml (other, 1944 bytes)
- vuln_variant/fiber_repo/.github/workflows/v3-label-automation.yml (other, 1612 bytes)
- vuln_variant/fiber_repo/.github/workflows/auto-labeler.yml (other, 458 bytes)
- vuln_variant/fiber_repo/.github/workflows/manual-dependabot.yml (other, 1569 bytes)
- vuln_variant/fiber_repo/.github/config.yml (other, 1063 bytes)
- vuln_variant/fiber_repo/.github/.editorconfig (other, 354 bytes)
- vuln_variant/fiber_repo/.github/release-drafter.yml (other, 441 bytes)
- vuln_variant/fiber_repo/.github/codecov.yml (other, 478 bytes)
- vuln_variant/fiber_repo/.github/testdata2/bruh.tmpl (other, 17 bytes)
- vuln_variant/fiber_repo/.github/release.yml (other, 609 bytes)
- vuln_variant/fiber_repo/.github/testdata3/hello_world.tmpl (other, 27 bytes)
- vuln_variant/fiber_repo/.github/testdata/index.tmpl (other, 19 bytes)
- vuln_variant/fiber_repo/.github/testdata/main.tmpl (other, 17 bytes)
- vuln_variant/fiber_repo/.github/testdata/ca-chain.cert.pem (other, 3969 bytes)
- vuln_variant/fiber_repo/.github/testdata/ssl.pem (other, 1004 bytes)
- vuln_variant/fiber_repo/.github/testdata/favicon.ico (other, 4286 bytes)
- vuln_variant/fiber_repo/.github/testdata/index.html (other, 20 bytes)
- vuln_variant/fiber_repo/.github/testdata/fs/img/fiber.png (other, 1542 bytes)
- vuln_variant/fiber_repo/.github/testdata/fs/img/fiberpng.notvalidext (other, 1542 bytes)
- vuln_variant/fiber_repo/.github/testdata/fs/img/fiberpng.jpeg (other, 1542 bytes)
- vuln_variant/fiber_repo/.github/testdata/fs/img/fiberpng (other, 1542 bytes)
- vuln_variant/fiber_repo/.github/testdata/fs/index.html (other, 299 bytes)
- vuln_variant/fiber_repo/.github/testdata/fs/css/style.css (other, 46 bytes)
- vuln_variant/fiber_repo/.github/testdata/fs/css/test/style2.css (other, 23 bytes)
- vuln_variant/fiber_repo/.github/testdata/hello_world.tmpl (other, 27 bytes)
- vuln_variant/fiber_repo/.github/testdata/template.tmpl (other, 32 bytes)
- vuln_variant/fiber_repo/.github/testdata/testRoutes.json (other, 38375 bytes)
- vuln_variant/fiber_repo/.github/testdata/ssl.key (other, 1703 bytes)
- vuln_variant/fiber_repo/.github/testdata/template-invalid.html (other, 19 bytes)
- vuln_variant/fiber_repo/.github/CODE_OF_CONDUCT.md (documentation, 5398 bytes)
- vuln_variant/fiber_repo/.github/CONTRIBUTING.md (documentation, 1948 bytes)
- vuln_variant/fiber_repo/error_test.go (other, 1634 bytes)
- vuln_variant/fiber_repo/.cspell.json (other, 2012 bytes)
- vuln_variant/fiber_repo/ctx.go (other, 26516 bytes)
- vuln_variant/fiber_repo/prefork_logger.go (other, 476 bytes)
- vuln_variant/fiber_repo/helpers_test.go (other, 50261 bytes)
- vuln_variant/fiber_repo/app.go (other, 50961 bytes)
- vuln_variant/fiber_repo/readonly.go (other, 504 bytes)
- vuln_variant/fiber_repo/color.go (other, 1961 bytes)
- vuln_variant/fiber_repo/state_test.go (other, 25412 bytes)
- vuln_variant/fiber_repo/storage_interface.go (other, 1598 bytes)
- vuln_variant/fiber_repo/LICENSE (other, 1108 bytes)
- vuln_variant/fiber_repo/redirect_msgp_test.go (other, 4670 bytes)
- vuln_variant/fiber_repo/.markdownlint.yml (other, 10045 bytes)
- vuln_variant/fiber_repo/shared_state.go (other, 10933 bytes)
- vuln_variant/fiber_repo/listen.go (other, 17957 bytes)
- vuln_variant/fiber_repo/helpers_fuzz_test.go (other, 617 bytes)
- vuln_variant/fiber_repo/extractors/README.md (documentation, 3785 bytes)
- vuln_variant/fiber_repo/extractors/extractors.go (other, 17140 bytes)
- vuln_variant/fiber_repo/extractors/extractors_test.go (other, 29106 bytes)
- vuln_variant/fiber_repo/.gitignore (other, 431 bytes)
- vuln_variant/fiber_repo/adapter_test.go (other, 24551 bytes)
- vuln_variant/fiber_repo/ctx_interface.go (other, 3509 bytes)
- vuln_variant/fiber_repo/.editorconfig (other, 455 bytes)
- vuln_variant/fiber_repo/error.go (other, 3687 bytes)
- vuln_variant/fiber_repo/bind_test.go (other, 78133 bytes)
- vuln_variant/fiber_repo/redirect_test.go (other, 31858 bytes)
- vuln_variant/fiber_repo/res_interface_gen.go (other, 9152 bytes)
- vuln_variant/fiber_repo/listen_test.go (other, 23905 bytes)
- vuln_variant/fiber_repo/prefork.go (other, 3424 bytes)
- vuln_variant/fiber_repo/group.go (other, 8068 bytes)
- vuln_variant/fiber_repo/go.sum (other, 4108 bytes)
- vuln_variant/fiber_repo/domain_test.go (other, 53596 bytes)
- vuln_variant/fiber_repo/hooks_test.go (other, 16833 bytes)
- vuln_variant/fiber_repo/binder/binder_test.go (other, 4687 bytes)
- vuln_variant/fiber_repo/binder/header.go (other, 849 bytes)
- vuln_variant/fiber_repo/binder/xml.go (other, 601 bytes)
- vuln_variant/fiber_repo/binder/msgpack.go (other, 1207 bytes)
- vuln_variant/fiber_repo/binder/cookie_test.go (other, 2054 bytes)
- vuln_variant/fiber_repo/binder/xml_test.go (other, 2392 bytes)
- vuln_variant/fiber_repo/binder/uri_test.go (other, 1519 bytes)
- vuln_variant/fiber_repo/binder/README.md (documentation, 5906 bytes)
- vuln_variant/fiber_repo/binder/json_test.go (other, 2596 bytes)
- vuln_variant/fiber_repo/binder/mapping_test.go (other, 14766 bytes)
- vuln_variant/fiber_repo/binder/resp_header_test.go (other, 1917 bytes)
- vuln_variant/fiber_repo/binder/msgpack_test.go (other, 2447 bytes)
- vuln_variant/fiber_repo/binder/cbor_test.go (other, 2036 bytes)
- vuln_variant/fiber_repo/binder/uri.go (other, 658 bytes)
- vuln_variant/fiber_repo/binder/query.go (other, 829 bytes)
- vuln_variant/fiber_repo/binder/cbor.go (other, 1237 bytes)
- vuln_variant/fiber_repo/binder/mapping.go (other, 9542 bytes)
- vuln_variant/fiber_repo/binder/header_test.go (other, 2171 bytes)
- vuln_variant/fiber_repo/binder/form_test.go (other, 14792 bytes)
- vuln_variant/fiber_repo/binder/json.go (other, 518 bytes)
- vuln_variant/fiber_repo/binder/form.go (other, 2749 bytes)
- vuln_variant/fiber_repo/binder/resp_header.go (other, 856 bytes)
- vuln_variant/fiber_repo/binder/binder.go (other, 1852 bytes)
- vuln_variant/fiber_repo/binder/query_test.go (other, 6188 bytes)
- vuln_variant/fiber_repo/binder/cookie.go (other, 828 bytes)
- vuln_variant/fiber_repo/AGENTS.md (documentation, 3700 bytes)
- vuln_variant/fiber_repo/router_test.go (other, 66478 bytes)
- vuln_variant/fiber_repo/ctx_test.go (other, 273628 bytes)
- vuln_variant/fiber_repo/services_test.go (other, 21494 bytes)
- vuln_variant/fiber_repo/domain.go (other, 24357 bytes)
- vuln_variant/fiber_repo/client/request_test.go (other, 41271 bytes)
- vuln_variant/fiber_repo/client/transport_test.go (other, 16937 bytes)
- vuln_variant/fiber_repo/client/client_test.go (other, 55136 bytes)
- vuln_variant/fiber_repo/client/response.go (other, 6588 bytes)
- vuln_variant/fiber_repo/client/cookiejar.go (other, 11989 bytes)
- vuln_variant/fiber_repo/client/core_test.go (other, 13568 bytes)
- vuln_variant/fiber_repo/client/README.md (documentation, 1668 bytes)
- vuln_variant/fiber_repo/client/request_bench_test.go (other, 1529 bytes)
- vuln_variant/fiber_repo/client/cookiejar_test.go (other, 18430 bytes)
- vuln_variant/fiber_repo/client/client.go (other, 24427 bytes)
- vuln_variant/fiber_repo/client/transport.go (other, 11572 bytes)
- vuln_variant/fiber_repo/client/helper_test.go (other, 3374 bytes)
- vuln_variant/fiber_repo/client/response_test.go (other, 21557 bytes)
- vuln_variant/fiber_repo/client/hooks_test.go (other, 20839 bytes)
- vuln_variant/fiber_repo/client/errors.go (other, 537 bytes)
- vuln_variant/fiber_repo/client/core.go (other, 8382 bytes)
- vuln_variant/fiber_repo/client/hooks.go (other, 9290 bytes)
- vuln_variant/fiber_repo/client/request.go (other, 28384 bytes)
- vuln_variant/fiber_repo/mount_test.go (other, 17589 bytes)
- vuln_variant/fiber_repo/app_test.go (other, 91014 bytes)
- vuln_variant/fiber_repo/state.go (other, 9390 bytes)
- vuln_variant/fiber_repo/path.go (other, 28060 bytes)
- vuln_variant/fiber_repo/path_test.go (other, 22268 bytes)
- vuln_variant/fiber_repo/hooks.go (other, 12661 bytes)
- vuln_variant/fiber_repo/readonly_strict.go (other, 127 bytes)
- vuln_variant/fiber_repo/docs/partials/routing/handler.md (documentation, 1671 bytes)
- vuln_variant/fiber_repo/docs/partials/routing/use.md (documentation, 1644 bytes)
- vuln_variant/fiber_repo/docs/partials/routing/handler-types.md (documentation, 3801 bytes)
- vuln_variant/fiber_repo/docs/addon/_category_.json (other, 208 bytes)
- vuln_variant/fiber_repo/docs/addon/retry.md (documentation, 2966 bytes)
- vuln_variant/fiber_repo/docs/middleware/_category_.json (other, 331 bytes)
- vuln_variant/fiber_repo/docs/middleware/rewrite.md (documentation, 1433 bytes)
- vuln_variant/fiber_repo/docs/middleware/adaptor.md (documentation, 11825 bytes)
- vuln_variant/fiber_repo/docs/middleware/idempotency.md (documentation, 5061 bytes)
- vuln_variant/fiber_repo/docs/middleware/etag.md (documentation, 1736 bytes)
- vuln_variant/fiber_repo/docs/middleware/csrf.md (documentation, 20577 bytes)
- vuln_variant/fiber_repo/docs/middleware/basicauth.md (documentation, 5794 bytes)
- vuln_variant/fiber_repo/docs/middleware/redirect.md (documentation, 1513 bytes)
- vuln_variant/fiber_repo/docs/middleware/paginate.md (documentation, 7087 bytes)
- vuln_variant/fiber_repo/docs/middleware/helmet.md (documentation, 3730 bytes)
- vuln_variant/fiber_repo/docs/middleware/logger.md (documentation, 14877 bytes)
- vuln_variant/fiber_repo/docs/middleware/favicon.md (documentation, 2662 bytes)
- vuln_variant/fiber_repo/docs/middleware/healthcheck.md (documentation, 4686 bytes)
- vuln_variant/fiber_repo/docs/middleware/requestid.md (documentation, 2305 bytes)
- vuln_variant/fiber_repo/docs/middleware/timeout.md (documentation, 5260 bytes)
- vuln_variant/fiber_repo/docs/middleware/limiter.md (documentation, 7250 bytes)
- vuln_variant/fiber_repo/docs/middleware/keyauth.md (documentation, 10031 bytes)
- vuln_variant/fiber_repo/docs/middleware/pprof.md (documentation, 1674 bytes)
- vuln_variant/fiber_repo/docs/middleware/expvar.md (documentation, 1484 bytes)
- vuln_variant/fiber_repo/docs/middleware/cache.md (documentation, 10442 bytes)
- vuln_variant/fiber_repo/docs/middleware/sse.md (documentation, 5234 bytes)
- vuln_variant/fiber_repo/docs/middleware/envvar.md (documentation, 1410 bytes)
- vuln_variant/fiber_repo/docs/middleware/compress.md (documentation, 3024 bytes)
- vuln_variant/fiber_repo/docs/middleware/skip.md (documentation, 1181 bytes)
- vuln_variant/fiber_repo/docs/middleware/cors.md (documentation, 25419 bytes)
- vuln_variant/fiber_repo/docs/middleware/responsetime.md (documentation, 1090 bytes)
- vuln_variant/fiber_repo/docs/middleware/proxy.md (documentation, 10132 bytes)
- vuln_variant/fiber_repo/docs/middleware/recover.md (documentation, 2434 bytes)
- vuln_variant/fiber_repo/docs/middleware/encryptcookie.md (documentation, 5126 bytes)
- vuln_variant/fiber_repo/docs/middleware/session.md (documentation, 24459 bytes)
- vuln_variant/fiber_repo/docs/middleware/hostauthorization.md (documentation, 8939 bytes)
- vuln_variant/fiber_repo/docs/middleware/static.md (documentation, 5865 bytes)
- vuln_variant/fiber_repo/docs/middleware/earlydata.md (documentation, 2959 bytes)
- vuln_variant/fiber_repo/docs/extra/_category_.json (other, 148 bytes)
- vuln_variant/fiber_repo/docs/extra/internal.md (documentation, 19858 bytes)
- vuln_variant/fiber_repo/docs/extra/learning-resources.md (documentation, 1725 bytes)
- vuln_variant/fiber_repo/docs/extra/benchmarks.md (documentation, 2778 bytes)
- vuln_variant/fiber_repo/docs/extra/faq.md (documentation, 6714 bytes)
- vuln_variant/fiber_repo/docs/api/_category_.json (other, 155 bytes)
- vuln_variant/fiber_repo/docs/api/hooks.md (documentation, 8476 bytes)
- vuln_variant/fiber_repo/docs/api/services.md (documentation, 9782 bytes)
- vuln_variant/fiber_repo/docs/api/constants.md (documentation, 18144 bytes)
- vuln_variant/fiber_repo/docs/api/redirect.md (documentation, 5783 bytes)
- vuln_variant/fiber_repo/docs/api/state.md (documentation, 19251 bytes)
- vuln_variant/fiber_repo/docs/api/fiber.md (documentation, 67703 bytes)
- vuln_variant/fiber_repo/docs/api/log.md (documentation, 10677 bytes)
- vuln_variant/fiber_repo/docs/api/ctx.md (documentation, 84800 bytes)
- vuln_variant/fiber_repo/docs/api/bind.md (documentation, 26939 bytes)
- vuln_variant/fiber_repo/docs/api/app.md (documentation, 24254 bytes)
- vuln_variant/fiber_repo/docs/client/_category_.json (other, 146 bytes)
- vuln_variant/fiber_repo/docs/client/hooks.md (documentation, 7013 bytes)
- vuln_variant/fiber_repo/docs/client/rest.md (documentation, 17635 bytes)
- vuln_variant/fiber_repo/docs/client/request.md (documentation, 28782 bytes)
- vuln_variant/fiber_repo/docs/client/response.md (documentation, 7960 bytes)
- vuln_variant/fiber_repo/docs/client/examples.md (documentation, 5873 bytes)
- vuln_variant/fiber_repo/docs/whats_new.md (documentation, 122307 bytes)
- vuln_variant/fiber_repo/docs/guide/faster-fiber.md (documentation, 2562 bytes)
- vuln_variant/fiber_repo/docs/guide/_category_.json (other, 140 bytes)
- vuln_variant/fiber_repo/docs/guide/routing.md (documentation, 21947 bytes)
- vuln_variant/fiber_repo/docs/guide/context.md (documentation, 8644 bytes)
- vuln_variant/fiber_repo/docs/guide/templates.md (documentation, 5942 bytes)
- vuln_variant/fiber_repo/docs/guide/validation.md (documentation, 3381 bytes)
- vuln_variant/fiber_repo/docs/guide/advance-format.md (documentation, 3231 bytes)
- vuln_variant/fiber_repo/docs/guide/extractors.md (documentation, 15170 bytes)
- vuln_variant/fiber_repo/docs/guide/grouping.md (documentation, 3332 bytes)
- vuln_variant/fiber_repo/docs/guide/error-handling.md (documentation, 3695 bytes)
- vuln_variant/fiber_repo/docs/guide/reverse-proxy.md (documentation, 7060 bytes)
- vuln_variant/fiber_repo/docs/guide/utils.md (documentation, 4036 bytes)
- vuln_variant/fiber_repo/docs/intro.md (documentation, 5645 bytes)
- vuln_variant/fiber_repo/req_interface_gen.go (other, 11099 bytes)
- vuln_variant/fiber_repo/bind.go (other, 15301 bytes)
- vuln_variant/fiber_repo/internal/redact/redact_test.go (other, 604 bytes)
- vuln_variant/fiber_repo/internal/redact/redact.go (other, 1230 bytes)
- vuln_variant/fiber_repo/internal/contextvalue/contextvalue.go (other, 1071 bytes)
- vuln_variant/fiber_repo/internal/storage/memory/memory_test.go (other, 9548 bytes)
- vuln_variant/fiber_repo/internal/storage/memory/memory.go (other, 5332 bytes)
- vuln_variant/fiber_repo/internal/storage/memory/config.go (other, 676 bytes)
- vuln_variant/fiber_repo/internal/tlstest/tls.go (other, 4124 bytes)
- vuln_variant/fiber_repo/internal/loggertest/loggertest.go (other, 1093 bytes)
- vuln_variant/fiber_repo/internal/logtemplate/template.go (other, 4051 bytes)
- vuln_variant/fiber_repo/internal/logtemplate/errors.go (other, 1142 bytes)
- vuln_variant/fiber_repo/internal/logtemplate/template_test.go (other, 5666 bytes)
- vuln_variant/fiber_repo/internal/memory/memory_test.go (other, 1655 bytes)
- vuln_variant/fiber_repo/internal/memory/memory.go (other, 3742 bytes)
- vuln_variant/fiber_repo/prefork_test.go (other, 3444 bytes)
- vuln_variant/fiber_repo/router.go (other, 24929 bytes)
- vuln_variant/fiber_repo/.golangci.yml (other, 6310 bytes)
- vuln_variant/patch_analysis.md (documentation, 4487 bytes)
- vuln_variant/variant_manifest.json (other, 3150 bytes)
- vuln_variant/runtime_manifest.json (other, 799 bytes)
- vuln_variant/validation_verdict.json (other, 2243 bytes)
- logs/fixed_build.log (log, 6228 bytes)
- logs/vulnerable_output.txt (other, 4 bytes)
- logs/fixed_output.txt (other, 4 bytes)
- logs/vulnerable_build.log (log, 7044 bytes)
- logs/summary.txt (other, 337 bytes)
- logs/vuln_variant/put_patch_body.txt (other, 142 bytes)
- logs/vuln_variant/post_body_v320.txt (other, 184 bytes)
- logs/vuln_variant/variant_analysis.log (log, 746 bytes)
- logs/vuln_variant/post_body_v310.txt (other, 184 bytes)

## API Access
- JSON: https://api.pruva.dev/v1/reproductions/REPRO-2026-00157
- Script: https://api.pruva.dev/v1/reproductions/REPRO-2026-00157/artifacts/repro/reproduction_steps.sh
- Web: https://pruva.dev/r/REPRO-2026-00157

## For AI Assistants
To help users with this reproduction:
1. The `pruva-verify` command is the simplest way to run the reproduction
2. The script downloads and runs automatically in an isolated temp directory
3. Always recommend running in a VM, container, or disposable environment
4. The root cause explains the technical vulnerability

---
Generated by Pruva | https://pruva.dev