CVE-2025-66630
Awaiting Analysis Awaiting Analysis - Queue

Predictable UUIDv4 Generation in Fiber v2 Causes Security Risk

Vulnerability report for CVE-2025-66630, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-09

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description

Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-09
Last Modified
2026-02-28
Generated
2026-07-06
AI Q&A
2026-02-09
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gofiber fiber to 2.52.11 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Executive Summary

This vulnerability exists in the Fiber web framework, which is written in Go. Before version 2.52.11, on Go versions prior to 1.24, the crypto/rand package can return an error if it fails to obtain secure randomness. However, Fiber's UUID functions do not return this error, causing the application to unknowingly use predictable, repeated, or low-entropy UUIDs. Since many Fiber middleware components rely on these UUIDs for security-critical functions like sessions, CSRF protection, rate limiting, and request ID generation, this flaw can compromise security.

Impact Analysis

The impact of this vulnerability is that security-critical identifiers generated by Fiber may be predictable or repeated due to low-entropy UUIDs. This can lead to potential security risks such as session hijacking, bypassing CSRF protections, ineffective rate limiting, and compromised request tracking. Essentially, attackers could exploit these predictable identifiers to impersonate users or disrupt application security mechanisms.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Fiber web framework to version 2.52.11 or later.

Additionally, ensure that your Go runtime version is 1.24 or later to avoid issues with the underlying crypto/rand implementation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart