CVE-2025-66630

Name of the Vulnerable Software and Affected Versions Fiber versions prior to 2.52.11 Fiber versions prior to 2.52.11 running on Go versions prior to 1.24

Description The Fiber framework, an Express-inspired web framework written in Go, is susceptible to generating predictable identifiers when running on Go versions prior to 1.24. This occurs because the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained, and the Fiber v2 UUID functions do not return this error. Consequently, application code may unknowingly rely on identifiers with low entropy in security-critical areas. This is particularly relevant as many Fiber v2 middleware components, such as session middleware, CSRF, rate limiting, and request-ID generation, default to using utils.UUIDv4(). Potential impacts include session fixation or hijacking, CSRF token forgery, authentication replay, denial-of-service, and request-ID collisions. Entropy exhaustion is rare on modern Linux systems, but entropy-source failures are more likely in containerized deployments, restricted sandboxes, or misconfigured systems. The UUIDv4() and UUID() functions within the gofiber/utils package are affected.

Recommendations Update to the latest version of Fiber v2.