fix: upgrade gofiber/fiber v2.52.9 -> v2.52.11 (CVE-2025-66630)#62
Merged
PrashantRaj18198 merged 2 commits intomainfrom Feb 12, 2026
Merged
Conversation
Addresses critical vulnerability CVE-2025-66630 in the embedded gofiber/fiber dependency used by warpbuild-agentd. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
guptaankit015
approved these changes
Feb 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
github.com/gofiber/fiber/v2from v2.52.9 to v2.52.11 to address CVE-2025-66630 (Critical)warpbuild-agentdwhich embeds this dependencyTest plan
go build ./...passes🤖 Generated with Claude Code
Note
Medium Risk
Dependency-only upgrade, but it changes request/error-handling and utility behavior (notably UUID generation now panics on entropy failures), which could surface as runtime behavior changes under edge conditions.
Overview
Updates vendored
github.com/gofiber/fiber/v2fromv2.52.9tov2.52.11(includinggo.mod,go.sum, andvendor/modules.txt) to pick up upstream fixes for CVE-2025-66630.The vendor refresh brings in upstream behavioral changes around mounted-app error handler selection (normalized prefix matching), safer string/byte handling in
Ctxhelpers whenConfig.Immutableis enabled, a small logging output fix, and stricter UUID generation failures (now panic oncrypto/rand/secure UUID errors).Written by Cursor Bugbot for commit 1a2d9d3. Configure here.