sflow decode package of the Goflow application did not implement sufficient packet sanitisation which could lead to a denial of service attack. Attackers could craft malformed packets causing the process to consume large amounts of memory resulting in a denial of service.
The issue has been fixed by Cloudflare Engineering team in the 3.4.4 Goflow release.