Fiber is an Express inspired web framework written in Go. In versions on the v3 branch prior to 3.1.0, the use of the fiber_flash cookie can force an unbounded allocation on any server. A crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory via unvalidated msgpack deserialization. No authentication is required. Every GoFiber v3 endpoint is affected regardless of whether the application uses flash messages. Version 3.1.0 fixes the issue.
Weakness
The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Fiber | Gofiber | 3.0.0 (including) | 3.1.0 (excluding) |