GoFiber Unauthenticated Denial-of-Service Vulnerability via Unbounded Memory Allocation

Vulnerability

A denial-of-service vulnerability has been identified in the GoFiber web framework, specifically in version 3.0.0 and prior. The issue arises from the handling of the 'fiber_flash' cookie, which can be exploited to cause an unbounded memory allocation on the server. When a crafted 10-character cookie value is received, it triggers a deserialization process that can attempt to allocate up to 85GB of memory, leading to a server crash. This vulnerability affects all GoFiber v3 endpoints, regardless of whether flash messages are used, and does not require authentication.

Impact

Exploitation of this vulnerability causes a remote denial-of-service condition, overwhelming the server with memory allocation requests and potentially leading to a crash.

Reproduction

To reproduce this vulnerability, send a request to a GoFiber v3.0.0 or earlier endpoint with a 'fiber_flash' cookie containing a hex-encoded msgpack array header. The header should indicate a large number of elements, such as 2,147,483,647, which will cause the server to allocate a corresponding amount of memory.

Remediation

Users can upgrade to GoFiber version 3.1.0 or later, where this vulnerability has been fixed.

Added: Feb 24, 2026, 11:12 PM
Updated: Feb 24, 2026, 11:12 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
2.5
exploitability
9.3
remediation
7.7
relevance
2.1
threat
4.8
urgency
2.9
incentive
8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.