cvelistv5 - cve-2025-66565

CVE-2025-66565 (GCVE-0-2025-66565)

Vulnerability from cvelistv5

Published

2025-12-09 01:47

Modified

2025-12-09 16:03

Severity ?

9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

CWE

CWE-252 - Unchecked Return Value
CWE-331 - Insufficient Entropy
CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

Summary

Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.

References

URL

Tags

security-advisories@github.com	https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47	Patch
security-advisories@github.com	https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr	Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr	Vendor Advisory

Impacted products

	Vendor	Product	Version
	gofiber	utils	Version: github.com/gofiber/utils <= 1.2.0 Version: github.com/gofiber/utils/v2 < 2.0.0-rc.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66565",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-09T14:16:58.759199Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-09T16:03:03.356Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "utils",
          "vendor": "gofiber",
          "versions": [
            {
              "status": "affected",
              "version": "github.com/gofiber/utils \u003c= 1.2.0"
            },
            {
              "status": "affected",
              "version": "github.com/gofiber/utils/v2 \u003c 2.0.0-rc.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system\u0027s cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID \"00000000-0000-0000-0000-000000000000\". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-252",
              "description": "CWE-252: Unchecked Return Value",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-331",
              "description": "CWE-331: Insufficient Entropy",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-338",
              "description": "CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-09T01:47:58.430Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
        },
        {
          "name": "https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47"
        }
      ],
      "source": {
        "advisory": "GHSA-m98w-cqp3-qcqr",
        "discovery": "UNKNOWN"
      },
      "title": "Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-66565",
    "datePublished": "2025-12-09T01:47:58.430Z",
    "dateReserved": "2025-12-04T16:05:22.975Z",
    "dateUpdated": "2025-12-09T16:03:03.356Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-66565\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-12-09T16:18:21.097\",\"lastModified\":\"2025-12-11T16:35:06.997\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system\u0027s cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID \\\"00000000-0000-0000-0000-000000000000\\\". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-252\"},{\"lang\":\"en\",\"value\":\"CWE-331\"},{\"lang\":\"en\",\"value\":\"CWE-338\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-252\"},{\"lang\":\"en\",\"value\":\"CWE-338\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:*:*:*:*:*:go:*:*\",\"versionEndIncluding\":\"1.2.0\",\"matchCriteriaId\":\"0DBDBC08-F082-4844-85C8-67FDA50F1D96\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta1:*:*:*:go:*:*\",\"matchCriteriaId\":\"3CF06202-3EB0-4193-8AB9-E47C120CAE7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta10:*:*:*:go:*:*\",\"matchCriteriaId\":\"CF306733-FDF8-434D-BBE7-007A6FBB2609\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta11:*:*:*:go:*:*\",\"matchCriteriaId\":\"C941EF0D-AF47-4BD6-AC68-29F534E78881\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta12:*:*:*:go:*:*\",\"matchCriteriaId\":\"830BFD1F-2352-4118-B757-1DC00DCAED64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta13:*:*:*:go:*:*\",\"matchCriteriaId\":\"A047A059-EF1D-48C7-B514-DF7B49538133\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta14:*:*:*:go:*:*\",\"matchCriteriaId\":\"EB8029EF-619F-48C5-BA13-E67A78DA3240\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta2:*:*:*:go:*:*\",\"matchCriteriaId\":\"244F7B18-D2DA-4F6B-A46B-22B91478E5C3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta3:*:*:*:go:*:*\",\"matchCriteriaId\":\"84145762-B2F9-474F-90DE-0D124EB25376\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta4:*:*:*:go:*:*\",\"matchCriteriaId\":\"91DCCAA4-F9C6-4380-AAB7-08954DA3E88D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta5:*:*:*:go:*:*\",\"matchCriteriaId\":\"64BE0DDC-6247-4C85-BBA0-4BC4F7670CDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta6:*:*:*:go:*:*\",\"matchCriteriaId\":\"7E6AC663-DFA9-4E13-BB68-BD22318DCAB6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta7:*:*:*:go:*:*\",\"matchCriteriaId\":\"F5770BB7-1D1F-40D5-ACFB-4107C5D02719\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta8:*:*:*:go:*:*\",\"matchCriteriaId\":\"E37F4EC0-AAD8-4C85-9373-3FB5F51D8F52\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:beta9:*:*:*:go:*:*\",\"matchCriteriaId\":\"3817F39A-4874-4FF3-B4F9-ACF24E185BC2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:rc1:*:*:*:go:*:*\",\"matchCriteriaId\":\"37B2432A-5B45-4F42-A120-86BBD5EEF5EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:rc2:*:*:*:go:*:*\",\"matchCriteriaId\":\"765A2191-9DA4-4D9D-AE26-EB53FCCE76AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:rc3:*:*:*:go:*:*\",\"matchCriteriaId\":\"31281C49-0A9A-4008-8458-3DD0A9F9B016\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gofiber:utils:2.0.0:rc4:*:*:*:go:*:*\",\"matchCriteriaId\":\"568DB697-4E86-4C33-AD1A-5E44E23D277F\"}]}]}],\"references\":[{\"url\":\"https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-66565\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-09T14:16:58.759199Z\"}}}], \"references\": [{\"url\": \"https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-09T14:17:01.343Z\"}}], \"cna\": {\"title\": \"Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values\", \"source\": {\"advisory\": \"GHSA-m98w-cqp3-qcqr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gofiber\", \"product\": \"utils\", \"versions\": [{\"status\": \"affected\", \"version\": \"github.com/gofiber/utils \u003c= 1.2.0\"}, {\"status\": \"affected\", \"version\": \"github.com/gofiber/utils/v2 \u003c 2.0.0-rc.4\"}]}], \"references\": [{\"url\": \"https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr\", \"name\": \"https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47\", \"name\": \"https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system\u0027s cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID \\\"00000000-0000-0000-0000-000000000000\\\". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-252\", \"description\": \"CWE-252: Unchecked Return Value\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-331\", \"description\": \"CWE-331: Insufficient Entropy\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-338\", \"description\": \"CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-12-09T01:47:58.430Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-66565\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-09T16:03:03.356Z\", \"dateReserved\": \"2025-12-04T16:05:22.975Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-12-09T01:47:58.430Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

fkie_cve-2025-66565

Vulnerability from fkie_nvd

Published

2025-12-09 16:18

Modified

2025-12-11 16:35

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47	Patch
security-advisories@github.com	https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr	Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr	Vendor Advisory

Impacted products

Vendor	Product	Version
gofiber	utils	*
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0
gofiber	utils	2.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gofiber:utils:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "0DBDBC08-F082-4844-85C8-67FDA50F1D96",
              "versionEndIncluding": "1.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta1:*:*:*:go:*:*",
              "matchCriteriaId": "3CF06202-3EB0-4193-8AB9-E47C120CAE7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta10:*:*:*:go:*:*",
              "matchCriteriaId": "CF306733-FDF8-434D-BBE7-007A6FBB2609",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta11:*:*:*:go:*:*",
              "matchCriteriaId": "C941EF0D-AF47-4BD6-AC68-29F534E78881",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta12:*:*:*:go:*:*",
              "matchCriteriaId": "830BFD1F-2352-4118-B757-1DC00DCAED64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta13:*:*:*:go:*:*",
              "matchCriteriaId": "A047A059-EF1D-48C7-B514-DF7B49538133",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta14:*:*:*:go:*:*",
              "matchCriteriaId": "EB8029EF-619F-48C5-BA13-E67A78DA3240",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta2:*:*:*:go:*:*",
              "matchCriteriaId": "244F7B18-D2DA-4F6B-A46B-22B91478E5C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta3:*:*:*:go:*:*",
              "matchCriteriaId": "84145762-B2F9-474F-90DE-0D124EB25376",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta4:*:*:*:go:*:*",
              "matchCriteriaId": "91DCCAA4-F9C6-4380-AAB7-08954DA3E88D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta5:*:*:*:go:*:*",
              "matchCriteriaId": "64BE0DDC-6247-4C85-BBA0-4BC4F7670CDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta6:*:*:*:go:*:*",
              "matchCriteriaId": "7E6AC663-DFA9-4E13-BB68-BD22318DCAB6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta7:*:*:*:go:*:*",
              "matchCriteriaId": "F5770BB7-1D1F-40D5-ACFB-4107C5D02719",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta8:*:*:*:go:*:*",
              "matchCriteriaId": "E37F4EC0-AAD8-4C85-9373-3FB5F51D8F52",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta9:*:*:*:go:*:*",
              "matchCriteriaId": "3817F39A-4874-4FF3-B4F9-ACF24E185BC2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:rc1:*:*:*:go:*:*",
              "matchCriteriaId": "37B2432A-5B45-4F42-A120-86BBD5EEF5EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:rc2:*:*:*:go:*:*",
              "matchCriteriaId": "765A2191-9DA4-4D9D-AE26-EB53FCCE76AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:rc3:*:*:*:go:*:*",
              "matchCriteriaId": "31281C49-0A9A-4008-8458-3DD0A9F9B016",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:rc4:*:*:*:go:*:*",
              "matchCriteriaId": "568DB697-4E86-4C33-AD1A-5E44E23D277F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system\u0027s cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID \"00000000-0000-0000-0000-000000000000\". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4."
    }
  ],
  "id": "CVE-2025-66565",
  "lastModified": "2025-12-11T16:35:06.997",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-09T16:18:21.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-252"
        },
        {
          "lang": "en",
          "value": "CWE-331"
        },
        {
          "lang": "en",
          "value": "CWE-338"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-252"
        },
        {
          "lang": "en",
          "value": "CWE-338"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-m98w-cqp3-qcqr

Vulnerability from github

Published

2025-12-08 17:57

Modified

2025-12-12 16:30

Severity ?

9.2 (Critical) - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Summary

Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values

Details

Summary

Critical security vulnerabilities exist in both the UUIDv4() and UUID() functions of the github.com/gofiber/utils package. When the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, the zero UUID "00000000-0000-0000-0000-000000000000". This compromises the security of all Fiber applications using these functions for security-critical operations on Go versions prior to 1.24.

Both functions are vulnerable to the same root cause (crypto/rand failure):

UUIDv4(): Indirect vulnerability through uuid.NewRandom() → crypto/rand.Read() → fallback to UUID()
UUID(): Direct vulnerability through crypto/rand.Read(uuidSeed[:]) → silent zero UUID return

Note: Go 1.24 and later panics on crypto/rand Read() failures, mitigating this vulnerability. Applications running on Go 1.24+ are not affected by the silent fallback behavior.

Vulnerability Details

Affected Functions

Package: github.com/gofiber/utils
Functions: UUIDv4() and UUID()
Return Type: string (both functions)
Locations: common.go:93-99 (UUIDv4), common.go:60-89 (UUID)

Technical Description

The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures on Go < 1.24:

Primary Path: UUIDv4() Vulnerability

UUIDv4() calls google/uuid.NewRandom() which internally uses crypto/rand.Read()
If uuid.NewRandom() fails, UUIDv4() falls back to the internal UUID() function
No error is returned to the application - silent security failure occurs

Secondary Path: UUID() Vulnerability

UUID() directly calls crypto/rand.Read(uuidSeed[:]) to seed its internal state
If seeding fails, UUID() silently fails and returns the zero UUID "00000000-0000-0000-0000-000000000000"
Applications receive predictable UUIDs with no indication of the security failure

Code Analysis

UUIDv4() Vulnerability Path

go func UUIDv4() string { token, err := uuid.NewRandom() // Uses crypto/rand.Read() internally if err != nil { return UUID() // Dangerous fallback - no error returned to application } return token.String() }

UUID() Vulnerability Path

go func UUID() string { uuidSetup.Do(func() { if _, err := rand.Read(uuidSeed[:]); err != nil { // Direct crypto/rand.Read() call return // Silent failure - no seeding, uuidCounter remains 0 } uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8]) }) if atomic.LoadUint64(&uuidCounter) <= 0 { return "00000000-0000-0000-0000-000000000000" // Zero UUID returned silently } // ... generate UUID from counter }

Root Cause: Both vulnerabilities stem from crypto/rand.Read() failures, occurring through different code paths with the same dangerous silent fallback behavior.

Security Impact

Severity: CRITICAL

This issue is especially severe because many Fiber middleware packages (session, CSRF, auth, rate-limit, request-ID, etc.) default to utils.UUIDv4() for generating security-sensitive identifiers. A failure in crypto/rand would cause every generated identifier across the entire application to collapse to a single predictable value (the zero UUID), resulting in:

Session fixation / universal session hijack
CSRF token predictability and bypass
Authentication token replay
Global identifier collisions leading to severe application breakage
Potential application-wide DoS due to every request using the same “unique” key, causing cache overwrites, session stomping, corrupted internal maps, and loss of isolation across all users

Attack Scenario

While entropy exhaustion is extremely rare on modern Linux systems, RNG access failures (e.g., restricted /dev/random or /dev/urandom access, broken container environments, sandbox restrictions, misconfigured VMs, or FIPS-mode RNG failures) are realistic. In these scenarios on Go < 1.24, crypto/rand may return errors immediately — triggering the vulnerable fallback paths.

On Go 1.24+, crypto/rand Read() panics on failure, mitigating the silent-zero fallback issue.

Proof of Concept

uuid.NewRandom() fails (indirect crypto/rand.Read() failure)
UUIDv4() calls UUID() as fallback with no error returned
UUID() seeding fails directly via crypto/rand.Read(uuidSeed[:])
Zero UUID "00000000-0000-0000-0000-000000000000" is returned silently
No error is propagated to the application from either function

Affected Versions

All versions of github.com/gofiber/utils containing the UUIDv4() or UUID() functions
Applications using Fiber middleware that depend on UUIDv4() or UUID for security
Only applicable to Go < 1.24; Go 1.24+ panics/block on crypto/rand Read() failures and is not affected

Mitigation

Immediate Workaround

Replace usage of utils.UUIDv4() with uuid.New() or wait for fix:

go sessionID := uuid.New()

Recommended Fix

Modify utils.UUIDv4() and utils.UUID() to fail explicitly when cryptographic randomness is unavailable:

```go func UUIDv4() string { token, err := uuid.NewRandom() if err != nil { panic(fmt.Sprintf("utils: failed to generate secure UUID: %v", err)) } return token.String() }

func UUID() string { uuidSetup.Do(func() { if _, err := rand.Read(uuidSeed[:]); err != nil { panic(fmt.Sprintf("utils: failed to seed UUID generator: %v", err)) } uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8]) }) if atomic.LoadUint64(&uuidCounter) <= 0 { panic("utils: UUID generator not properly seeded") } // ... generate UUID from counter } ```

Detection

Applications can detect if they're affected by:

Checking if they use github.com/gofiber/utils
Searching for UUIDv4() and UUID() usage in security-critical code paths
Reviewing Fiber middleware configurations that rely on defaults of UUIDv4() for security identifiers

References

Package Repository: https://github.com/gofiber/utils
Fiber Framework: https://github.com/gofiber/fiber
Google UUID Library: https://github.com/google/uuid
Golang crypto/rand behavior changes: golang/go#66821, Go 1.25.5 source

Contact

Reported by: @sixcolors

Classification

OWASP: A02:2021 - Cryptographic Failures
Impact: Complete compromise of application security model on Go < 1.24
Exploitability: Medium (requires entropy failure)
Scope: All Fiber applications using affected middleware on Go < 1.24

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.0.0-rc.3.0.20251205210924-6c6cf047032b"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/utils/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-rc.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-252",
      "CWE-331",
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-08T17:57:26Z",
    "nvd_published_at": "2025-12-09T16:18:21Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nCritical security vulnerabilities exist in both the `UUIDv4()` and `UUID()` functions of the `github.com/gofiber/utils` package. When the system\u0027s cryptographic random number generator (`crypto/rand`) fails, both functions silently fall back to returning predictable UUID values, the zero UUID `\"00000000-0000-0000-0000-000000000000\"`. This compromises the security of all Fiber applications using these functions for security-critical operations on **Go versions prior to 1.24**.\n\n**Both functions are vulnerable to the same root cause (`crypto/rand` failure):**\n\n* `UUIDv4()`: Indirect vulnerability through `uuid.NewRandom()` \u2192 `crypto/rand.Read()` \u2192 fallback to `UUID()`\n* `UUID()`: Direct vulnerability through `crypto/rand.Read(uuidSeed[:])` \u2192 silent zero UUID return\n\n\u003e **Note:** Go 1.24 and later panics on `crypto/rand` `Read()` failures, mitigating this vulnerability. Applications running on Go 1.24+ are not affected by the silent fallback behavior.\n\n---\n\n## Vulnerability Details\n\n### Affected Functions\n\n* **Package**: `github.com/gofiber/utils`\n* **Functions**: `UUIDv4()` and `UUID()`\n* **Return Type**: `string` (both functions)\n* **Locations**: `common.go:93-99` (UUIDv4), `common.go:60-89` (UUID)\n\n### Technical Description\n\nThe vulnerability occurs through two related but distinct failure paths, both ultimately caused by `crypto/rand.Read()` failures on Go \u003c 1.24:\n\n#### Primary Path: UUIDv4() Vulnerability\n\n1. `UUIDv4()` calls `google/uuid.NewRandom()` which internally uses `crypto/rand.Read()`\n2. If `uuid.NewRandom()` fails, `UUIDv4()` falls back to the internal `UUID()` function\n3. **No error is returned to the application** - silent security failure occurs\n\n#### Secondary Path: UUID() Vulnerability\n\n1. `UUID()` directly calls `crypto/rand.Read(uuidSeed[:])` to seed its internal state\n2. If seeding fails, `UUID()` **silently fails** and returns the zero UUID `\"00000000-0000-0000-0000-000000000000\"`\n3. Applications receive predictable UUIDs with no indication of the security failure\n\n---\n\n### Code Analysis\n\n#### UUIDv4() Vulnerability Path\n\n```go\nfunc UUIDv4() string {\n\ttoken, err := uuid.NewRandom()  // Uses crypto/rand.Read() internally\n\tif err != nil {\n\t\treturn UUID()  // Dangerous fallback - no error returned to application\n\t}\n\treturn token.String()\n}\n```\n\n#### UUID() Vulnerability Path\n\n```go\nfunc UUID() string {\n\tuuidSetup.Do(func() {\n\t\tif _, err := rand.Read(uuidSeed[:]); err != nil {  // Direct crypto/rand.Read() call\n\t\t\treturn  // Silent failure - no seeding, uuidCounter remains 0\n\t\t}\n\t\tuuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])\n\t})\n\tif atomic.LoadUint64(\u0026uuidCounter) \u003c= 0 {\n\t\treturn \"00000000-0000-0000-0000-000000000000\"  // Zero UUID returned silently\n\t}\n\t// ... generate UUID from counter\n}\n```\n\n**Root Cause:** Both vulnerabilities stem from `crypto/rand.Read()` failures, occurring through different code paths with the same dangerous silent fallback behavior.\n\n---\n\n## Security Impact\n\n### Severity: CRITICAL\n\nThis issue is especially severe because many Fiber middleware packages (session, CSRF, auth, rate-limit, request-ID, etc.) default to `utils.UUIDv4()` for generating security-sensitive identifiers. A failure in `crypto/rand` would cause **every generated identifier across the entire application** to collapse to a single predictable value (the zero UUID), resulting in:\n\n* **Session fixation / universal session hijack**\n* **CSRF token predictability and bypass**\n* **Authentication token replay**\n* **Global identifier collisions leading to severe application breakage**\n* **Potential application-wide DoS** due to every request using the same \u201cunique\u201d key, causing cache overwrites, session stomping, corrupted internal maps, and loss of isolation across all users\n\n---\n\n### Attack Scenario\n\nWhile **entropy exhaustion is extremely rare on modern Linux systems**, *RNG access failures* (e.g., restricted `/dev/random` or `/dev/urandom` access, broken container environments, sandbox restrictions, misconfigured VMs, or FIPS-mode RNG failures) are realistic. In these scenarios on **Go \u003c 1.24**, `crypto/rand` may return errors immediately \u2014 triggering the vulnerable fallback paths.\n\nOn **Go 1.24+**, `crypto/rand` `Read()` panics on failure, mitigating the silent-zero fallback issue.\n\n---\n\n### Proof of Concept\n\n1. `uuid.NewRandom()` fails (indirect `crypto/rand.Read()` failure)\n2. `UUIDv4()` calls `UUID()` as fallback with no error returned\n3. `UUID()` seeding fails directly via `crypto/rand.Read(uuidSeed[:])`\n4. Zero UUID `\"00000000-0000-0000-0000-000000000000\"` is returned silently\n5. No error is propagated to the application from either function\n\n---\n\n## Affected Versions\n\n* All versions of `github.com/gofiber/utils` containing the `UUIDv4()` or `UUID()` functions\n* Applications using Fiber middleware that depend on `UUIDv4()` or `UUID` for security\n* **Only applicable to Go \u003c 1.24**; Go 1.24+ panics/block on `crypto/rand` `Read()` failures and is not affected\n\n---\n\n## Mitigation\n\n### Immediate Workaround\n\nReplace usage of `utils.UUIDv4()` with `uuid.New()` or wait for fix:\n\n```go\nsessionID := uuid.New()\n```\n\n### Recommended Fix\n\nModify `utils.UUIDv4()` and `utils.UUID()` to fail explicitly when cryptographic randomness is unavailable:\n\n```go\nfunc UUIDv4() string {\n\ttoken, err := uuid.NewRandom()\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"utils: failed to generate secure UUID: %v\", err))\n\t}\n\treturn token.String()\n}\n\nfunc UUID() string {\n    uuidSetup.Do(func() {\n        if _, err := rand.Read(uuidSeed[:]); err != nil {\n            panic(fmt.Sprintf(\"utils: failed to seed UUID generator: %v\", err))\n        }\n        uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])\n    })\n    if atomic.LoadUint64(\u0026uuidCounter) \u003c= 0 {\n        panic(\"utils: UUID generator not properly seeded\")\n    }\n    // ... generate UUID from counter\n}\n```\n\n---\n\n## Detection\n\nApplications can detect if they\u0027re affected by:\n\n1. Checking if they use `github.com/gofiber/utils`\n2. Searching for `UUIDv4()` and `UUID()` usage in security-critical code paths\n3. Reviewing Fiber middleware configurations that rely on defaults of `UUIDv4()` for security identifiers\n\n---\n\n## References\n\n* **Package Repository**: [https://github.com/gofiber/utils](https://github.com/gofiber/utils)\n* **Fiber Framework**: [https://github.com/gofiber/fiber](https://github.com/gofiber/fiber)\n* **Google UUID Library**: [https://github.com/google/uuid](https://github.com/google/uuid)\n* Golang `crypto/rand` behavior changes: [golang/go#66821](https://github.com/golang/go/issues/66821), [Go 1.25.5 source](https://cs.opensource.google/go/go/+/refs/tags/go1.25.5:src/crypto/rand/rand.go;l=80)\n\n---\n\n## Contact\n\nReported by: [@sixcolors](https://github.com/sixcolors)\n\n---\n\n## Classification\n\n* **OWASP**: A02:2021 - Cryptographic Failures\n* **Impact**: Complete compromise of application security model on Go \u003c 1.24\n* **Exploitability**: Medium (requires entropy failure)\n* **Scope**: All Fiber applications using affected middleware on Go \u003c 1.24",
  "id": "GHSA-m98w-cqp3-qcqr",
  "modified": "2025-12-12T16:30:26Z",
  "published": "2025-12-08T17:57:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66565"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gofiber/utils"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-66565 (GCVE-0-2025-66565)

Vulnerability from cvelistv5

fkie_cve-2025-66565

Vulnerability from fkie_nvd

ghsa-m98w-cqp3-qcqr

Vulnerability from github

Summary

Vulnerability Details

Affected Functions

Technical Description

Primary Path: UUIDv4() Vulnerability

Secondary Path: UUID() Vulnerability

Code Analysis

UUIDv4() Vulnerability Path

UUID() Vulnerability Path

Security Impact

Severity: CRITICAL

Attack Scenario

Proof of Concept

Affected Versions

Mitigation

Immediate Workaround

Recommended Fix

Detection

References

Contact

Classification

Tags

Sightings

Nomenclature