CVE-2026-25899 — HIGH (7.5)

Q: How severe is CVE-2026-25899?

CVE-2026-25899 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-25899?

Check the references section above for vendor advisories and patch information. Affected products include: Gofiber Fiber.

Vulnerability Description

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gofiber	Fiber	>= 3.0.0, < 3.1.0

Related Weaknesses (CWE)

CWE-770 CWE-789

References

https://github.com/gofiber/fiber/releases/tag/v3.1.0Release Notes
https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6ExploitVendor Advisory

FAQ

What is CVE-2026-25899?

CVE-2026-25899 is a vulnerability with a CVSS score of 7.5 (HIGH). Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10...

How severe is CVE-2026-25899?

CVE-2026-25899 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-25899?

Check the references section above for vendor advisories and patch information. Affected products include: Gofiber Fiber.