CVE-2026-25899

HIGH

GoFiber v3 <3.1.0 - Deserialization

Title source: llm

Description

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.

References (2)

[Release Notes] https://github.com/gofiber/fiber/releases/tag/v3.1.0

[Vendor Advisory] https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6

Scores

CVSS v3 7.5

EPSS 0.0012

EPSS Percentile 30.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-770 CWE-789

Status published

Affected Products (2)

gofiber/fiber < 3.1.0

gofiber/fiber < 3.1.0Go

Timeline

Published Feb 24, 2026

Tracked Since Feb 25, 2026