cvedb.io
CVE-2026-25899
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-02-24T22:16:31.613 · Last modified 2026-06-17T10:25:24.327

Summary

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.

Affected products

gofiber — fiber

Does this affect you?

Add your gear to cvedb and we'll alert you only when gofiber ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.