CVE-2026-25899

{"id": "CVE-2026-25899", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-24T22:16:31.613", "references": [{"url": "https://github.com/gofiber/fiber/releases/tag/v3.1.0", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-2mr3-m5q5-wgp6", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-789"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the `fiber_flash` cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue."}, {"lang": "es", "value": "Fiber es un framework web inspirado en Express escrito en Go. En versiones de la rama v3 anteriores a la 3.1.0, el uso de la 'cookie' fiber_flash puede forzar una asignaci\u00f3n ilimitada en cualquier servidor. Un valor de cookie manipulado de 10 caracteres desencadena un intento de asignar hasta 85 GB de memoria a trav\u00e9s de una deserializaci\u00f3n msgpack no validada. No se requiere autenticaci\u00f3n. Cada endpoint de GoFiber v3 se ve afectado independientemente de si la aplicaci\u00f3n utiliza mensajes flash. La versi\u00f3n 3.1.0 corrige el problema."}], "lastModified": "2026-02-25T20:31:50.943", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gofiber:fiber:*:*:*:*:*:go:*:*", "vulnerable": true, "matchCriteriaId": "0BE31D7D-3EA7-4474-930A-0FD4C237989C", "versionEndExcluding": "3.1.0", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}