CVE-2026-25899

HIGH

GoFiber v3 <3.1.0 - Deserialization

Title source: llm

Description

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.

References (2)

[Vendor Advisory] https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6

[Release Notes] https://github.com/gofiber/fiber/releases/tag/v3.1.0

Scores

CVSS v3 7.5

EPSS 0.0017

EPSS Percentile 37.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770 CWE-789

Status published

Products (2)

gofiber/fiber 0 - 3.1.0Go

gofiber/fiber 3.0.0 - 3.1.0

Published Feb 24, 2026

Tracked Since Feb 25, 2026