Description

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.

INFO

Published Date :

2026-02-24T21:11:17.804Z

Last Modified :

2026-02-24T21:37:33.970Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25899 vulnerability.

Vendors Products
Gofiber
  • Fiber
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25899.

URL Resource
https://github.com/gofiber/fiber/releases/tag/v3.1.0 cve-icon cve-icon
https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact