CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-25899

The 10-Byte Killer: How a Tiny Cookie Crushed GoFiber v3

Amit Schendel
Amit Schendel
Senior Security Researcher

Feb 24, 2026·5 min read·50 visits

Executive Summary (TL;DR)

Unauthenticated DoS in GoFiber v3 via the `fiber_flash` cookie. A 5-byte payload triggers an 85GB memory allocation, crashing the server instantly. Fixed in v3.1.0.

GoFiber v3, a framework renowned for its blistering speed, fell victim to a critical Denial of Service vulnerability rooted in its handling of flash messages. By sending a specially crafted 'fiber_flash' cookie containing just 10 hex characters, an unauthenticated attacker could trick the server into attempting an 85GB memory allocation, triggering an immediate crash.

The Hook: The Phantom Cookie

GoFiber loves speed. It's built on top of fasthttp, bypassing Go's standard library to squeeze every microsecond out of request processing. But in the race for performance, safety sometimes gets left in the dust. Enter the fiber_flash cookie, a mechanism designed to pass temporary messages between requests (like "Login Successful").

Here is the kicker: in GoFiber v3, this logic was baked into the core requestHandler. It didn't matter if your application actually used flash messages. It didn't matter if you disabled every optional middleware. Before your router even looked at the URL, before your auth middleware checked the headers, the framework was eagerly digging through cookies looking for fiber_flash.

It’s the digital equivalent of a stranger walking into your house and opening your fridge before you’ve even unlocked the front door. If that stranger brings a specific, malformed packet of data, they don't just eat your food—they burn the house down.

The Flaw: Trust Issues

The vulnerability (CVE-2026-25899) is a textbook case of CWE-789: Memory Allocation with Excessive Size Value. It stems from how GoFiber handles—or rather, mishandles—deserialization using the tinylib/msgp library.

MessagePack (MsgPack) is a binary serialization format that is faster and smaller than JSON. When encoding an array, MsgPack uses a header to declare the number of elements. For example, 0x93 means "Array with 3 elements." The deserializer reads this header and prepares to read 3 objects.

The flaw lay in the auto-generated code's blind trust. It read the array size header and immediately allocated memory to hold that many elements, without checking if the input buffer actually contained enough data to fill them. It’s like a contractor ordering materials to build a skyscraper because a client wrote "100 floors" on a napkin, without checking if the client actually had the budget (or the land) for it.

The Code: The Smoking Gun

Let's look at the generated code in redirect_msgp.go. This is where the magic (and the crash) happens. The UnmarshalMsg method is responsible for turning bytes back into a struct.

// The Vulnerable Logic in GoFiber v3 < 3.1.0
func (z *redirectionMsgs) UnmarshalMsg(bts []byte) (o []byte, err error) {
    var zb0002 uint32
    // 1. Read the array size from the wire (attacker controlled!)
    zb0002, bts, err = msgp.ReadArrayHeaderBytes(bts)
    if err != nil {
        return
    }
    
    // 2. THE BUG: Blind allocation
    // If the attacker says zb0002 is 2 billion, we allocate 2 billion structs.
    if cap((*z)) >= int(zb0002) {
        (*z) = (*z)[:zb0002]
    } else {
        (*z) = make(redirectionMsgs, zb0002) // <--- CRASH HERE
    }
    
    // ... loop to read elements ...
}

The variable zb0002 is a uint32 taken directly from the input. If I send a header saying "I have 2 billion items," the Go runtime dutifully attempts to find contiguous memory for 2 billion redirectionMsg structs. It doesn't care that I only sent 5 bytes of actual data.

The Exploit: Death by 10 Bytes

You don't need a botnet. You don't need a supercomputer. You just need curl and ten hex characters. The attack vector is shockingly simple and affects every endpoint on the server.

The Payload: dd7fffffff

Let's break that down:

  • dd: The MessagePack marker for Array32 (an array with a 32-bit length).
  • 7fffffff: The hexadecimal representation of 2,147,483,647 (MaxInt32).

The Attack:

curl -H "Cookie: fiber_flash=dd7fffffff" http://target:3000/

When the server receives this, it decodes the hex and hits the allocator. It tries to allocate a slice for 2.14 billion structs. Even if the struct is small (say, 40 bytes), that requires requesting ~85 Gigabytes of RAM instantly.

Unless your server is running on a high-end mainframe, the Go runtime immediately panics with runtime: out of memory. The process dies. If you're running this in Kubernetes without strict restart policies, you just entered a crash loop. If you're on a standard VPS, your service is dead until you wake up and restart it.

The Fix: Closing the Window

The fix in version 3.1.0 is simple sanity checking. You can't fit a gallon of water in a shot glass, and you can't fit 2 billion array elements in a 5-byte payload.

The patched code introduces a check against the remaining bytes in the buffer. Before allocating, it calculates: "Does the remaining input stream have enough bytes to theoretically hold X elements?"

// The Fix Logic (Conceptual)
if availableBytes < (arraySize * minElementSize) {
    return error("array size exceeds available data")
}
make(slice, arraySize)

By validating that the declared size is physically possible given the input, the allocation is blocked before it hits the OS. This is a classic defense-in-depth strategy: never trust the client's metadata without verifying it against the actual data.

Official Patches

GoFiberOfficial Release Notes

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
0.10%
Top 100% most exploited
15,000
via Shodan

Affected Systems

GoFiber Web Framework (v3 branch)

Affected Versions Detail

Product
Affected Versions
Fixed Version
GoFiber
GoFiber
>= 3.0.0, < 3.1.03.1.0
AttributeDetail
CWECWE-789 (Memory Allocation with Excessive Size Value)
CVSS v3.17.5 (High)
Attack VectorNetwork (Cookie Header)
ImpactDenial of Service (OOM Panic)
AuthenticationNone Required
Exploit StatusHigh (Trivial PoC)

MITRE ATT&CK Mapping

T1499.003Endpoint Denial of Service: Application or System Exploitation
Impact
CWE-789
Memory Allocation with Excessive Size Value

The product allocates memory based on an untrusted size value, allowing an attacker to cause a denial of service via memory exhaustion.

Known Exploits & Detection

Research ReportCookie-based memory exhaustion PoC
NucleiDetection Template Available

Vulnerability Timeline

Vulnerability Disclosed & Patch Released
2026-02-24
PoC Published
2026-02-24

References & Sources

  • [1]GHSA Advisory
  • [2]CWE-789 Explanation

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 10 hours ago•CVE-2026-48861
2.1

CVE-2026-48861: HTTP Request Splitting and Smuggling via Method Parameter CRLF Injection in Elixir Mint

CVE-2026-48861 is a client-side HTTP request-line CRLF (Carriage Return Line Feed) injection vulnerability in the popular Elixir HTTP client library, Mint. The vulnerability permits HTTP Request Splitting and HTTP Request Smuggling when an application forwards untrusted, attacker-controlled inputs to Mint's HTTP client requests as either the HTTP request method or target. By embedding CRLF characters within these parameters, an attacker can terminate the request line prematurely, inject malicious headers, or pipeline entirely independent requests. These smuggled requests are then processed by upstream or downstream proxy servers as separate HTTP queries on the same TCP connection. While Mint version 1.7.0 introduced target validation to secure the request target, the HTTP request method parameter remained completely unvalidated. This flaw allows attackers to bypass routing filters, access restricted internal APIs, or poison HTTP caches under default configurations.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 10 hours ago•CVE-2026-49753
6.3

CVE-2026-49753: HTTP Request/Response Smuggling via Inconsistent Content-Length Parsing in Elixir Mint Client

An Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) vulnerability in the Elixir Mint HTTP client allows attacker-controlled HTTP/1 servers to desynchronize response framing on shared connections due to over-lenient parsing of sign-prefixed Content-Length headers.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 11 hours ago•CVE-2026-49754
8.2

CVE-2026-49754: Denial of Service via Unbounded HTTP/2 CONTINUATION Frame Accumulation in Elixir Mint

An allocation of resources without limits or throttling vulnerability in Elixir Mint allows an attacker-controlled HTTP/2 server to exhaust memory in a Mint client. The vulnerability is exploited by sending a HEADERS frame without the END_HEADERS flag followed by an infinite stream of CONTINUATION frames. Because the client lacks limits on the incoming header-block accumulator, the client continuously consumes memory until an out-of-memory crash occurs.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 11 hours ago•CVE-2026-48596
2.1

CVE-2026-48596: Improper Neutralization of CRLF Sequences in Elixir Tesla Multipart HTTP Client

CVE-2026-48596 is an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Request/Response Splitting, CWE-113) in the Elixir Tesla HTTP client. The flaw resides in how multipart content-type parameters are joined and serialized, enabling attackers to inject arbitrary headers or split HTTP requests when applications pass untrusted inputs to the parameters of multipart uploads.

Alon Barad
Alon Barad
5 views•6 min read
•about 12 hours ago•CVE-2026-48594
8.2

CVE-2026-48594: Decompression Bomb Denial of Service in Elixir Tesla HTTP Client

An improper handling of highly compressed data (decompression bomb) vulnerability exists in the Elixir Tesla HTTP client when utilizing response decompression middlewares. By serving highly compressed responses or stacked content-encoding headers, a malicious server can cause arbitrary heap exhaustion, leading to a denial of service (DoS) crash in the BEAM virtual machine.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 12 hours ago•CVE-2026-48595
8.2

CVE-2026-48595: Cross-Origin Credential Leakage in Elixir Tesla Client via Case-Sensitive Redirect Filter Bypass

A high-severity security vulnerability in Elixir's Tesla HTTP client library (CVE-2026-48595) allows unauthenticated remote attackers to harvest sensitive credentials, including Authorization headers and cookies. The flaw resides in the 'Tesla.Middleware.FollowRedirects' component, which performs case-sensitive lookups when stripping credentials during cross-origin redirects. Because HTTP headers are case-insensitive by RFC specifications, standard canonical casing (e.g., 'Authorization') bypasses the lowercase-only blocklist, leaking tokens to untrusted external redirect destinations.

Alon Barad
Alon Barad
6 views•5 min read