Critical severityNVD Advisory· Published Feb 9, 2026· Updated Feb 10, 2026

Fiber insecurely fallsback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure

CVE-2025-66630

Description

Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/gofiber/fiber/v2Go	< 2.52.11	2.52.11

Affected products

Gofiber/Fiberv5
Range: < 2.52.11

Patches

eb874b6f6c58

Merge commit from fork

https://github.com/gofiber/fiberJason McNeilDec 10, 2025via ghsa

commit

1 file changed · +3 −5

utils/common.go+3 −5 modified

@@ -9,6 +9,7 @@ import (
 	"crypto/rand"
 	"encoding/binary"
 	"encoding/hex"
+	"fmt"
 	"math"
 	"net"
 	"os"
@@ -47,13 +48,10 @@ func UUID() string {
 	// Setup seed & counter once
 	uuidSetup.Do(func() {
 		if _, err := rand.Read(uuidSeed[:]); err != nil {
-			return
+			panic(fmt.Sprintf("utils: failed to seed UUID generator: %v", err))
 		}
 		uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])
 	})
-	if atomic.LoadUint64(&uuidCounter) <= 0 {
-		return emptyUUID
-	}
 	// first 8 bytes differ, taking a slice of the first 16 bytes
 	x := atomic.AddUint64(&uuidCounter, 1)
 	uuid := uuidSeed
@@ -84,7 +82,7 @@ func UUID() string {
 func UUIDv4() string {
 	token, err := googleuuid.NewRandom()
 	if err != nil {
-		return UUID()
+		panic(fmt.Sprintf("utils: failed to generate secure UUID: %v", err))
 	}
 	return token.String()
 }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-68rr-p4fp-j59vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-66630ghsaADVISORY
github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1ghsax_refsource_MISCWEB
github.com/gofiber/fiber/releases/tag/v2.52.11ghsax_refsource_MISCWEB
github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59vghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000