### Vulnerability Key Information #### Summary - **Vulnerability Type**: Denial of Service (DoS) via Unrestricted Allocation through Flash Cookie - **CVE ID**: CVE-2026-25899 - **CVSS v3 Base Metrics**: Severity Rating High (7.5/10), primarily impacting Availability; Attack Vector is Network; Complexity is Low. #### Affected Packages and Versions - **Package**: github.com/gofiber/fiber/v3 - **Affected Versions**: = v3.1.0 #### Vulnerability Details 1. **Trigger Conditions**: - The `fiber_flash` cookie can trigger unrestricted memory allocation on any server. - By constructing a cookie value of 10 characters, memory allocation up to 85GB can be triggered by exploiting unverified msgpack deserialization. - No authentication is required; this affects all GoFiber v3 endpoints, regardless of whether the application utilizes flash messages. 2. **Code Analysis**: - Flash cookies are checked regardless of configuration settings. - The cookie value is hex-decoded and passed directly to msgpack deserialization without any size or content validation. - The auto-generated `tinylib/msgp` deserialization reads a `uint32` array header from an attacker-controlled byte stream and passes it directly to `make()` without boundary checks. 3. **Attack Method**: - Constructing a GoFiber cookie can force massive memory allocation. - Example command: `curl -H "Cookie: fiber_flash=dd7fffffff" http://localhost:5000/hello` 4. **Impact**: - Unauthorized Remote Denial of Service (DoS) (CWE-789). - Affects all users running GoFiber v3.0.0 or v3 servers. - Flash cookie parsing is hard-coded.