Description
Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0.
Published: 2026-07-08
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gv83-gqw6-9j2c GoFiber never set HSTS header in helmet middleware due to incorrect protocol check
History

Wed, 08 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Gofiber
Gofiber fiber
Vendors & Products Gofiber
Gofiber fiber

Wed, 08 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description Fiber is an Express inspired web framework written in Go. Prior to 3.4.0, the helmet middleware in middleware/helmet/helmet.go never sets the Strict-Transport-Security response header even when HSTSMaxAge is configured because it checks c.Protocol() for https instead of c.Scheme(). This issue is fixed in version 3.4.0.
Title Fiber: HSTS header never set in helmet middleware due to incorrect protocol check
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T19:32:08.191Z

Reserved: 2026-06-09T20:16:59.646Z

Link: CVE-2026-53624

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T21:15:04Z

Weaknesses