CVE-2026-25899
HIGH
GHSA-2mr3-m5q5-wgp6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Tags
Description
Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.
Analysis
Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all systems running Fiber v3 and assess exposure; implement WAF rules to block or sanitize fiber_flash cookies; notify application teams. Within 7 days: deploy network-level mitigations (rate limiting, request filtering) and establish monitoring for memory exhaustion patterns. …
Sign in for detailed remediation steps.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today