CVE-2026-25899— Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-25899
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation
Source: NVD (National Vulnerability Database)
Vulnerability Description
Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未经控制的内存分配
Source: NVD (National Vulnerability Database)
Vulnerability Title
Fiber 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Fiber是Fiber开源的一款使用Go语言编写的开源Web框架。 Fiber 3.1.0之前版本存在安全漏洞,该漏洞源于fiber_flash cookie可通过未经验证的msgpack反序列化触发大量内存分配,可能导致拒绝服务攻击。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-25899
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-25899
请登录查看更多情报信息。
Same Patch Batch · gofiber · 2026-02-24 · 3 CVEs total
| CVE-2026-25882 | Fiber has a Denial of Service Vulnerability via Route Parameter Overflow | |
| CVE-2026-25891 | Fiber has an Arbitrary File Read in Static Middleware on Windows |
IV. Related Vulnerabilities
Same product: fiber
- CVE-2026-30246
github.com/gofiber/fiber/v3 cache middleware can mix respons - CVE-2026-25891
Fiber has an Arbitrary File Read in Static Middleware on Win - CVE-2026-25882
Fiber has a Denial of Service Vulnerability via Route Parame - CVE-2025-66630
Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() - CVE-2025-54801
Fiber Susceptible to Crash via `BodyParser` Due to Unvalidat
Same vendor: gofiber
- CVE-2026-30246
github.com/gofiber/fiber/v3 cache middleware can mix respons - CVE-2026-25891
Fiber has an Arbitrary File Read in Static Middleware on Win - CVE-2026-25882
Fiber has a Denial of Service Vulnerability via Route Parame - CVE-2025-66630
Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() - CVE-2025-66565
Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable V
Same weakness: CWE-789
- CVE-2021-47944
memono Notepad 4.2 Denial of Service via Buffer Overflow - CVE-2026-42241
ParquetSharp: Possible Stack Overflow When Reading a Parquet - CVE-2026-43868
Apache Thrift: Rust implementation vulnerable to CVE-2020-13 - CVE-2026-42146
CImg Library: Uncontrolled memory allocation via nb_colors f - CVE-2026-42440
Apache OpenNLP: OOM DoS via Unbounded Array Allocation in Ab
V. Comments for CVE-2026-25899
No comments yet