CVE-2025-66630
Awaiting Analysis Awaiting Analysis - Queue
Predictable UUIDv4 Generation in Fiber v2 Causes Security Risk

Publication date: 2026-02-09

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-14
NVD
CVE-2025-66630
EUVD
EUVD-2025-207191
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gofiber fiber to 2.52.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-338 The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Fiber web framework, which is written in Go. Before version 2.52.11, on Go versions prior to 1.24, the crypto/rand package can return an error if it fails to obtain secure randomness. However, Fiber's UUID functions do not return this error, causing the application to unknowingly use predictable, repeated, or low-entropy UUIDs. Since many Fiber middleware components rely on these UUIDs for security-critical functions like sessions, CSRF protection, rate limiting, and request ID generation, this flaw can compromise security.

Detection Guidance

I don't know

Compliance Impact

I don't know

Impact Analysis

The impact of this vulnerability is that security-critical identifiers generated by Fiber may be predictable or repeated due to low-entropy UUIDs. This can lead to potential security risks such as session hijacking, bypassing CSRF protections, ineffective rate limiting, and compromised request tracking. Essentially, attackers could exploit these predictable identifiers to impersonate users or disrupt application security mechanisms.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the Fiber web framework to version 2.52.11 or later.

Additionally, ensure that your Go runtime version is 1.24 or later to avoid issues with the underlying crypto/rand implementation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66630. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart