What is the CVSS score of CVE-2026-25899?

CVE-2026-25899 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of Fiber are affected by CVE-2026-25899?

A vulnerability in Fiber web framework (Go) versions prior to 3.1.0 allows attackers to trigger unlimited memory allocation through a malicious cookie, potentially causing service denial and system…. A patch is available.

Is there a public PoC exploit available for CVE-2026-25899?

Yes, a public proof-of-concept exploit is available for CVE-2026-25899. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-25899?

Within 24 hours: inventory all systems running Fiber v3 and assess exposure; implement WAF rules to block or sanitize fiber_flash cookies; notify application teams. Within 7 days: deploy network-level mitigations (rate limiting, request filtering) and establish monitoring for memory exhaustion patterns. Within 30 days: upgrade to Fiber 3.1.0 or later once released; conduct post-incident review of patch management processes.

Fiber CVE-2026-25899

HIGH

Memory Allocation with Excessive Size Value (CWE-789)

2026-02-24 security-advisories@github.com

GHSA-2mr3-m5q5-wgp6

Deserialization Fiber Suse

7.5

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SUSE

HIGH

qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 25, 2026 - 20:31 vuln.today

Public exploit code

CVE Published

Feb 24, 2026 - 22:16 nvd

HIGH 7.5

DescriptionGitHub Advisory

Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the fiber_flash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.

AnalysisAI

Unbounded memory allocation in Fiber v3 (prior to 3.1.0) allows unauthenticated remote attackers to trigger denial of service by sending a malicious fiber_flash cookie that forces deserialization of up to 85GB of memory. All v3 endpoints are vulnerable regardless of flash message usage, and public exploit code exists. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send HTTP request with crafted fiber_flash cookie

Exploit

Trigger unvalidated msgpack deserialization

Execution

Allocate unbounded memory

Impact

Exhaust server resources and crash service

Access

Send HTTP request with crafted fiber_flash cookie

Exploit

Trigger unvalidated msgpack deserialization

Execution

Allocate unbounded memory

Impact

Exhaust server resources and crash service

Vulnerability AssessmentAI

Exploitation	GoFiber v3 prior to 3.1.0 with any HTTP endpoint exposed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation	Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all systems running Fiber v3 and assess exposure; implement WAF rules to block or sanitize fiber_flash cookies; notify application teams. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Leap 15.6	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5	Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6	Fixed
openSUSE Leap 15.5	Fixed

CVE-2026-25899 vulnerability details – vuln.today

Back

Fiber CVE-2026-25899

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code