Tuliperis

**Name of the Vulnerable Software and Affected Versions** Fiber versions prior to 3.1.0 **Description** The use of the `fiber flash` cookie can lead to an unbounded allocation on any server. A specially crafted 10-character cookie value triggers an attempt to allocate up to 85GB of memory through unvalidated msgpack deserialization. No authentication is required, and every GoFiber v3 endpoint is affected, regardless of whether the application uses flash messages. The issue stems from the `parseAndClearFlashMessages()` function, which hex-decodes the cookie value and passes it directly to msgpack deserialization without size or content validation. The auto-generated `tinylib/msgp` deserialization reads a `uint32` array header from the attacker-controlled byte stream and uses it directly in a `make()` call, resulting in the unbounded allocation. The vulnerable function is `UnmarshalMsg()`. The cookie value is a hex-encoded msgpack array32 header. **Recommendations** Update to Fiber version 3.1.0 or later.