CVE-2026-25899: Fiber is Vulnerable to Denial of Service via Flash Cookie Unbounded Allocation

February 24, 2026 (updated February 27, 2026)

The use of the fiber_flash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages.

References

github.com/advisories/GHSA-2mr3-m5q5-wgp6
github.com/gofiber/fiber
github.com/gofiber/fiber/releases/tag/v3.1.0
github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6
nvd.nist.gov/vuln/detail/CVE-2026-25899
pkg.go.dev/vuln/GO-2026-4534

Code Behaviors & Features

Detect and mitigate CVE-2026-25899 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →