CVE-2026-25899

Name of the Vulnerable Software and Affected Versions Fiber versions prior to 3.1.0

Description The use of the fiber flash cookie can lead to an unbounded allocation on any server. A specially crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory through unvalidated msgpack deserialization. No authentication is required, and every GoFiber v3 endpoint is affected, regardless of whether the application uses flash messages. The issue stems from the parseAndClearFlashMessages() function, which hex-decodes the cookie value and passes it directly to msgpack deserialization without size or content validation. The auto-generated tinylib/msgp deserialization reads a uint32 array header from the attacker-controlled byte stream and uses it directly in a make() call, resulting in the unbounded allocation. The vulnerable function is UnmarshalMsg(). The cookie value is a hex-encoded msgpack array32 header.

Recommendations Update to Fiber version 3.1.0 or later.