CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53624

mediumCVSS 4.8covered by 2 sourcesfirst seen 2026-07-06
Summary The helmet middleware in gofiber/fiber never sets the Strict-Transport-Security (HSTS) response header, even when HSTSMaxAge is explicitly configured, because the condition check at helmet.go:67 uses c.Protocol() — which returns the HTTP protocol version string (e.g., "HTTP/1.1", "HTTP/2.0") — instead of c.Scheme() — which returns the URL scheme ("http" or "https"). Since c.Protocol() never equals "https" in any real deployment, the HSTS header is permanently disabled, defeating the security protection. Details Root cause: middleware/helmet/helmet.go, line 67: if c.Protocol() == "https" && cfg.HSTSMaxAge != 0 { c.Protocol() (defined at req.go:865-867) delegates to fasthttp.Request.Header.Protocol(), which returns the HTTP protocol version: - "HTTP/1.1" for HTTP/1.1 connections - "HTTP/2.0" for HTTP/2 connections The correct method is c.Scheme() (defined at req.go:844-862), which returns: - "http" for plain HTTP connections - "https" for TLS connections Since "HTTP/1.1" != "https" always evaluates to true, the entire HSTS block (lines 67-76) is dead code. Note on test coverage: The existing helmet test (helmet_test.go) passes because it uses ctx.Request.Header.SetProtocol("https") to artificially force Protocol() to return "https". However, fasthttp.Request.Header.SetProtocol() sets the HTTP version field, and real HTTP requests never have protocol "https" — they have "HTTP/1.1" or "HTTP/2.0". The test is validating the wrong thing. PoC Clean-checkout maintainer-runnable recipe: 1. Save the following as middleware/helmet/poc_hsts_test.go: package helmet import ( "crypto/tls" "net/http/httptest" "testing" "github.com/gofiber/fiber/v3" ) func Test_PoC_HSTS_NeverSet(t *testing.T) { app := fiber.New() app.Use(New(Config{ HSTSMaxAge: 31536000, })) app.Get("/", func(c fiber.Ctx) error { return c.Sen

⚡ Watch CVE-2026-53624

Get an email if CVE-2026-53624 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-53624

CVE.org record

Embed the live status

CVE-2026-53624 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53624 status](https://www.csirts.com/badge/CVE-2026-53624)](https://www.csirts.com/cve/CVE-2026-53624)