CVE-2025-66565
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-11

Assigner: GitHub, Inc.

Description
Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-11
Generated
2026-05-07
AI Q&A
2025-12-09
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66565
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
fiber fiber 2.0.0-rc.3
fiber fiber 2.0.0-rc.4
gofiber utils to 1.2.0 (exc)
gofiber utils 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
CWE-252 The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
CWE-331 The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Fiber Utils versions 2.0.0-rc.3 and below. When the system's cryptographic random number generator (crypto/rand) fails, the functions in Fiber Utils silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". This fallback behavior compromises the security of all Fiber applications that rely on these functions for security-critical operations. The issue is fixed in version 2.0.0-rc.4.


How can this vulnerability impact me? :

The vulnerability can severely impact the security of applications using Fiber Utils for security-critical operations. Because the functions return predictable UUIDs when the cryptographic random number generator fails, attackers could potentially predict or reproduce these UUIDs, leading to compromised security features such as authentication, session management, or any functionality relying on unique identifiers. This can result in unauthorized access, data breaches, or other security failures.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Fiber Utils to version 2.0.0-rc.4 or later, as this version fixes the vulnerability related to predictable UUID values when crypto/rand fails.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart