The vulnerability resides in the handling of the fiber_flash cookie within the GoFiber web framework. A specially crafted 10‑character cookie value triggers unvalidated msgpack deserialization, causing the framework to attempt allocating up to 85 GB of memory. Successful exploitation forces the server to consume excessive resources, leading to degraded performance or a crash, thereby denying legitimate users access. The flaw is reflected in the CVE’s CWE identifiers for uncontrolled resource consumption and buffer overflow. No authentication is required, meaning any client can trigger the denial.

This flaw affects all ships of GoFiber v3 released prior to version 3.1.0. The framework, written in Go and inspired by Express, is distributed under the gofiber:fiber product line. The issue is present in every endpoint because flash messages are processed globally, regardless of whether the application uses them.

The CVSS base score of 7.5 indicates a high severity, while the EPSS score of less than 1 % signals that exploitation is currently rare but not impossible. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, so no publicly documented exploits exist at this time. Likely exploitation would involve sending a malicious request with the crafted flash cookie over the network; since no credentials are needed, the attacker only requires network access to the target web application.