CVE-2026-25899
Awaiting Analysis Awaiting Analysis - Queue
Unbounded Memory Allocation via Msgpack Deserialization in Fiber v

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-25899
EUVD
EUVD-2026-8566
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gofiber fiber From 3.0.0 (inc) to 3.1.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Fiber, a web framework written in Go, specifically in versions on the v3 branch prior to 3.1.0. It involves the `fiber_flash` cookie, which can be manipulated to cause the server to allocate an extremely large amount of memoryβ€”up to 85GBβ€”due to unvalidated msgpack deserialization. This can be triggered by a crafted 10-character cookie value without requiring any authentication. The issue affects every GoFiber v3 endpoint regardless of whether the application uses flash messages.

Impact Analysis

The vulnerability can lead to a denial of service (DoS) condition by forcing the server to allocate an unbounded amount of memory, potentially up to 85GB. This can exhaust server resources, causing the application or server to crash or become unresponsive, disrupting service availability.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade the Fiber web framework to version 3.1.0 or later, as this version fixes the issue.

Since the vulnerability involves unbounded memory allocation triggered by a crafted fiber_flash cookie, consider implementing network-level protections such as filtering or blocking suspicious requests containing unusual cookie values until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25899. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart