CVE-2025-66630
published 2026-02-09CVE-2025-66630: Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an…
PriorityP356critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.47%
37.2th percentile
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | gofiber_fiber_v2 | >= 0 < 2.52.11 | 2.52.11 |
| gofiber | fiber | < 2.52.11 | 2.52.11 |
CVSS provenance
nvdv3.19.4CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat9.2CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() on crypto/rand failure in github.com/gofiber/fiber
osv·2026-02-19
CVE-2025-66630 Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() on crypto/rand failure in github.com/gofiber/fiber
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() on crypto/rand failure in github.com/gofiber/fiber
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure in github.com/gofiber/fiber
OSV
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
osv·2026-02-09
CVE-2025-66630 [CRITICAL] Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
Fiber v2 contains an internal vendored copy of `gofiber/utils`, and its functions `UUIDv4()` and `UUID()` inherit the same critical weakness described in the upstream advisory. On **Go versions prior to 1.24**, the underlying `crypto/rand` implementation **can return an error** if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID `00000000-0000-0000-0000-000000000000`.
On Go **1.24+**, the language guarantees that `crypto/rand` no longer returns an error (it will block or panic instead), so this vulnerability primarily affects **Fiber v2 users running Go 1.23 or earlier**,
GHSA
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
ghsa·2026-02-09
CVE-2025-66630 [CRITICAL] CWE-338 Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
Fiber v2 contains an internal vendored copy of `gofiber/utils`, and its functions `UUIDv4()` and `UUID()` inherit the same critical weakness described in the upstream advisory. On **Go versions prior to 1.24**, the underlying `crypto/rand` implementation **can return an error** if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID `00000000-0000-0000-0000-000000000000`.
On Go **1.24+**, the language guarantees that `crypto/rand` no longer returns an error (it will block or panic instead), so this vulnerability primarily affects **Fiber v2 users running Go 1.23 or earlier**,
Red Hat
github.com/gofiber/fiber/v2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses
vendor_redhat·2026-02-09·CVSS 9.2
CVE-2025-66630 [CRITICAL] CWE-331 github.com/gofiber/fiber/v2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses
github.com/gofiber/fiber/v2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
A flaw was found in the Fiber web framework (github.com/gofiber/fiber/v2). On
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-66630 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2025-66630 [CRITICAL] CVE-2025-66630 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66630 :
Wolfi vulnerability analysis and mitigation
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
Source : NVD
## 9.2
Score
Published February 9, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
Wolfi
Cha
Bugzilla
CVE-2025-66630 golang-github-deepmap-oapi-codegen: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses [fedora-42]
bugzilla·2026-02-11·CVSS 9.2
CVE-2025-66630 [CRITICAL] CVE-2025-66630 golang-github-deepmap-oapi-codegen: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses [fedora-42]
CVE-2025-66630 golang-github-deepmap-oapi-codegen: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
Bugzilla
CVE-2025-66630 golang-github-gofiber-fiber-2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses [fedora-42]
bugzilla·2026-02-11·CVSS 9.2
CVE-2025-66630 [CRITICAL] CVE-2025-66630 golang-github-gofiber-fiber-2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses [fedora-42]
CVE-2025-66630 golang-github-gofiber-fiber-2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses [fedora-42]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Discussion:
This message is a reminder that Fedora Linux 42 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 42 on 2026-05-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '42'.
Package Maintainer: If you wish for this bug to remain open because you
plan
2026-02-09
Published