{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-66630", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-12-05T15:42:44.716Z", "datePublished": "2026-02-09T18:04:47.713Z", "dateUpdated": "2026-02-10T16:02:43.238Z"}, "containers": {"cna": {"title": "Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() \u2014 predictable / zero\u2011UUID on crypto/rand failure", "problemTypes": [{"descriptions": [{"cweId": "CWE-338", "lang": "en", "description": "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v"}, {"name": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1", "tags": ["x_refsource_MISC"], "url": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1"}, {"name": "https://github.com/gofiber/fiber/releases/tag/v2.52.11", "tags": ["x_refsource_MISC"], "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.11"}], "affected": [{"vendor": "gofiber", "product": "fiber", "versions": [{"version": "< 2.52.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:04:47.713Z"}, "descriptions": [{"lang": "en", "value": "Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11."}], "source": {"advisory": "GHSA-68rr-p4fp-j59v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:30:29.686589Z", "id": "CVE-2025-66630", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:02:43.238Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-66630", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:30:29.686589Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:30:30.385Z"}}], "cna": {"title": "Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() \u2014 predictable / zero\u2011UUID on crypto/rand failure", "source": {"advisory": "GHSA-68rr-p4fp-j59v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "gofiber", "product": "fiber", "versions": [{"status": "affected", "version": "< 2.52.11"}]}], "references": [{"url": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v", "name": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1", "name": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/gofiber/fiber/releases/tag/v2.52.11", "name": "https://github.com/gofiber/fiber/releases/tag/v2.52.11", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-338", "description": "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T18:04:47.713Z"}}}, "cveMetadata": {"cveId": "CVE-2025-66630", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:02:43.238Z", "dateReserved": "2025-12-05T15:42:44.716Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T18:04:47.713Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11."}], "id": "CVE-2025-66630", "lastModified": "2026-02-09T21:55:30.093", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T18:16:04.680", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1"}, {"source": "security-advisories@github.com", "url": "https://github.com/gofiber/fiber/releases/tag/v2.52.11"}, {"source": "security-advisories@github.com", "url": "https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-338"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "github.com/gofiber/fiber/v2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses", "id": "2438199", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438199"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "status": "draft"}, "cwe": "CWE-331", "details": ["Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.", "A flaw was found in the Fiber web framework (github.com/gofiber/fiber/v2). On Go versions prior to 1.24, the framework's Universally Unique Identifier (UUID) generation functions do not return an error when the underlying cryptographic randomness source fails. This can cause applications to use predictable or low-entropy UUIDs in security-sensitive areas, such as session management or Cross-Site Request Forgery (CSRF) protection. An attacker could potentially exploit this by leveraging environmental conditions or application-specific weaknesses, which may significantly affect confidentiality and integrity."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2025-66630", "public_date": "2026-02-09T18:04:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-66630\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-66630\nhttps://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1\nhttps://github.com/gofiber/fiber/releases/tag/v2.52.11\nhttps://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v"], "statement": "This vulnerability is classified as Important rather than Critical because exploitation depends on an environmental failure of the randomness source rather than a condition directly controllable by a remote attacker. The flaw does not enable immediate unauthenticated remote code execution or direct system compromise; instead, impact occurs only if crypto/rand fails and the application subsequently relies on predictable UUID values in security-sensitive contexts. Since triggering conditions typically involve misconfigured containers, restricted environments, or degraded entropy sources, successful exploitation requires additional environmental or application-specific weaknesses. Therefore, while confidentiality and integrity can be significantly affected once triggered, the lack of a direct, easily exploitable remote attack path aligns the issue with Important severity rather than Critical.", "threat_severity": "Important"}