Memory Management Vulnerability in GoFiber Framework by Fiber
CVE-2026-25899

7.5HIGH

Key Information:

Vendor: Gofiber
Status: Fiber
Vendor: CVE Published:; 24 February 2026

What is CVE-2026-25899?

The GoFiber framework, an Express-inspired web framework written in Go, is subject to a memory management vulnerability. Versions prior to 3.1.0 are affected, specifically with the use of the fiber_flash cookie. Attackers can exploit this flaw by crafting a 10-character cookie value, leading to an unbounded memory allocation of up to 85GB due to unvalidated msgpack deserialization. This vulnerability impacts all endpoints in the application, regardless of whether flash messages are utilized. Fiber has released version 3.1.0 to rectify this vulnerability.

Affected Version(s)

fiber >= 3.0.0, < 3.1.0

References

https://github.com/gofiber/fiber/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/gofiber/fiber/releases/tag/v3.1.0

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 24, 2026
Vulnerability Reserved
Feb 6, 2026

CVE-2026-25899 Data

JSON

Gofiber

What is CVE-2026-25899?

Affected Version(s)

References

CVSS V3.1

Timeline