CVE-2025-66630
Awaiting Analysis Awaiting Analysis - Queue
Predictable UUIDv4 Generation in Fiber v2 Causes Security Risk

Publication date: 2026-02-09

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-28
Generated
2026-05-27
AI Q&A
2026-02-09
EPSS Evaluated
2026-05-25
NVD
CVE-2025-66630
EUVD
EUVD-2025-207191
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gofiber fiber to 2.52.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


Can you explain this vulnerability to me?

This vulnerability exists in the Fiber web framework, which is written in Go. Before version 2.52.11, on Go versions prior to 1.24, the crypto/rand package can return an error if it fails to obtain secure randomness. However, Fiber's UUID functions do not return this error, causing the application to unknowingly use predictable, repeated, or low-entropy UUIDs. Since many Fiber middleware components rely on these UUIDs for security-critical functions like sessions, CSRF protection, rate limiting, and request ID generation, this flaw can compromise security.


How can this vulnerability impact me? :

The impact of this vulnerability is that security-critical identifiers generated by Fiber may be predictable or repeated due to low-entropy UUIDs. This can lead to potential security risks such as session hijacking, bypassing CSRF protections, ineffective rate limiting, and compromised request tracking. Essentially, attackers could exploit these predictable identifiers to impersonate users or disrupt application security mechanisms.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade the Fiber web framework to version 2.52.11 or later.

Additionally, ensure that your Go runtime version is 1.24 or later to avoid issues with the underlying crypto/rand implementation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart