Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values
Description
Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Fiber Utils UUID functions silently return predictable values when crypto/rand fails, compromising security in applications using Go < 1.24.
Vulnerability
Overview
CVE-2025-66565 describes a critical vulnerability in the github.com/gofiber/utils package, affecting versions 2.0.0-rc.3 and earlier. The UUIDv4() and UUID() functions silently fall back to returning predictable UUID values—including the zero UUID 00000000-0000-0000-0000-000000000000—when the system's cryptographic random number generator (crypto/rand) fails [1][2]. This behavior occurs because the functions do not propagate errors from crypto/rand.Read() failures; instead, they return a hardcoded, deterministic value [3].
Exploitation
The vulnerability is triggered when crypto/rand.Read() fails on Go versions prior to 1.24 (Go 1.24+ panics on such failures, mitigating the issue) [3]. Two distinct failure paths exist: UUIDv4() calls uuid.NewRandom() which internally uses crypto/rand.Read(); if that fails, it falls back to the internal UUID() function. UUID() directly calls crypto/rand.Read() to seed its state; if seeding fails, it returns the zero UUID without any error indication [3]. An attacker does not require authentication or network access—any application using these functions on a system where the CSPRNG is exhausted or misconfigured is vulnerable.
Impact
An attacker who can predict or force the generation of these fallback UUIDs can defeat security mechanisms that rely on UUID uniqueness or unpredictability, such as session tokens, CSRF tokens, or password reset links. The silent failure means applications receive a predictable value with no warning, potentially leading to account takeover or privilege escalation [2][3].
Mitigation
The issue is fixed in version 2.0.0-rc.4, where the functions now panic on crypto/rand failures instead of silently returning predictable values [4]. Users should upgrade immediately. Applications running on Go 1.24 or later are not affected because the runtime panics on crypto/rand.Read() failures [3]. No workaround is available for affected versions.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gofiber/utils/v2Go | < 2.0.0-rc.4 | 2.0.0-rc.4 |
github.com/gofiber/utilsGo | < 1.2.0 | 1.2.0 |
Affected products
2- Range: <=2.0.0-rc.3
- gofiber/utilsv5Range: github.com/gofiber/utils <= 1.2.0
Patches
11 file changed · +3 −3
common.go+3 −3 modified@@ -57,12 +57,12 @@ func UUID() string { // Setup seed & counter once uuidSetup.Do(func() { if _, err := rand.Read(uuidSeed[:]); err != nil { - return + panic(fmt.Sprintf("utils: failed to seed UUID generator: %v", err)) } uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8]) }) if atomic.LoadUint64(&uuidCounter) <= 0 { - return "00000000-0000-0000-0000-000000000000" + panic("utils: UUID generator not properly seeded") } // first 8 bytes differ, taking a slice of the first 16 bytes x := atomic.AddUint64(&uuidCounter, 1) @@ -94,7 +94,7 @@ func UUID() string { func UUIDv4() string { token, err := uuid.NewRandom() if err != nil { - return UUID() + panic(fmt.Sprintf("utils: failed to generate secure UUID: %v", err)) } return token.String() }
Vulnerability mechanics
Root cause
"Silent fallback to predictable UUID values when crypto/rand.Read() fails, instead of failing fast with a panic."
Attack vector
An attacker does not directly trigger the bug; rather, the vulnerability is latent in the system environment. If the operating system's entropy source is exhausted or crypto/rand.Read() fails for any reason, the UUID() function silently returns a zero UUID ("00000000-0000-0000-0000-000000000000") and UUIDv4() falls back to calling UUID(), which also returns a predictable value. Any Fiber application that uses these UUID functions for security-critical operations (e.g., session tokens, CSRF tokens, password reset links) would then generate attacker-predictable values, enabling session hijacking, token forgery, or other impersonation attacks. The attack surface is broad because the failure is silent—applications receive no error indication.
Affected code
The vulnerability is in the UUID() and UUIDv4() functions in common.go. UUID() silently returns a zero UUID when crypto/rand.Read() fails during seeding or when uuidCounter is zero. UUIDv4() falls back to calling UUID() when uuid.NewRandom() fails, inheriting the same predictable behavior.
What the fix does
The patch replaces silent fallback with explicit panic() calls in three locations. In UUID(), when rand.Read() fails during seeding, the code now panics with the error message instead of returning silently. When uuidCounter is zero (indicating seeding never succeeded), the code panics instead of returning the zero UUID. In UUIDv4(), when uuid.NewRandom() fails, the code panics instead of falling back to the predictable UUID() function [patch_id=30821]. This fail-fast approach ensures that any crypto/rand failure is immediately visible, preventing applications from unknowingly using insecure UUIDs.
Preconditions
- inputThe system's crypto/rand reader must fail (e.g., entropy exhaustion, resource limits, or sandbox restrictions)
- configThe application must call UUID() or UUIDv4() for security-critical purposes (e.g., tokens, session IDs)
Generated on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-m98w-cqp3-qcqrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-66565ghsaADVISORY
- github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47ghsax_refsource_MISCWEB
- github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.