fkie_cve-2025-66565
Vulnerability from fkie_nvd
Published
2025-12-09 16:18
Modified
2025-12-11 16:35
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.
References
security-advisories@github.comhttps://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47Patch
security-advisories@github.comhttps://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqrVendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqrVendor Advisory
Impacted products
Vendor Product Version
gofiber utils *
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0
gofiber utils 2.0.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:gofiber:utils:*:*:*:*:*:go:*:*",
              "matchCriteriaId": "0DBDBC08-F082-4844-85C8-67FDA50F1D96",
              "versionEndIncluding": "1.2.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta1:*:*:*:go:*:*",
              "matchCriteriaId": "3CF06202-3EB0-4193-8AB9-E47C120CAE7A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta10:*:*:*:go:*:*",
              "matchCriteriaId": "CF306733-FDF8-434D-BBE7-007A6FBB2609",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta11:*:*:*:go:*:*",
              "matchCriteriaId": "C941EF0D-AF47-4BD6-AC68-29F534E78881",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta12:*:*:*:go:*:*",
              "matchCriteriaId": "830BFD1F-2352-4118-B757-1DC00DCAED64",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta13:*:*:*:go:*:*",
              "matchCriteriaId": "A047A059-EF1D-48C7-B514-DF7B49538133",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta14:*:*:*:go:*:*",
              "matchCriteriaId": "EB8029EF-619F-48C5-BA13-E67A78DA3240",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta2:*:*:*:go:*:*",
              "matchCriteriaId": "244F7B18-D2DA-4F6B-A46B-22B91478E5C3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta3:*:*:*:go:*:*",
              "matchCriteriaId": "84145762-B2F9-474F-90DE-0D124EB25376",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta4:*:*:*:go:*:*",
              "matchCriteriaId": "91DCCAA4-F9C6-4380-AAB7-08954DA3E88D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta5:*:*:*:go:*:*",
              "matchCriteriaId": "64BE0DDC-6247-4C85-BBA0-4BC4F7670CDB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta6:*:*:*:go:*:*",
              "matchCriteriaId": "7E6AC663-DFA9-4E13-BB68-BD22318DCAB6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta7:*:*:*:go:*:*",
              "matchCriteriaId": "F5770BB7-1D1F-40D5-ACFB-4107C5D02719",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta8:*:*:*:go:*:*",
              "matchCriteriaId": "E37F4EC0-AAD8-4C85-9373-3FB5F51D8F52",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta9:*:*:*:go:*:*",
              "matchCriteriaId": "3817F39A-4874-4FF3-B4F9-ACF24E185BC2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:rc1:*:*:*:go:*:*",
              "matchCriteriaId": "37B2432A-5B45-4F42-A120-86BBD5EEF5EC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:rc2:*:*:*:go:*:*",
              "matchCriteriaId": "765A2191-9DA4-4D9D-AE26-EB53FCCE76AD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:rc3:*:*:*:go:*:*",
              "matchCriteriaId": "31281C49-0A9A-4008-8458-3DD0A9F9B016",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:rc4:*:*:*:go:*:*",
              "matchCriteriaId": "568DB697-4E86-4C33-AD1A-5E44E23D277F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system\u0027s cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID \"00000000-0000-0000-0000-000000000000\". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4."
    }
  ],
  "id": "CVE-2025-66565",
  "lastModified": "2025-12-11T16:35:06.997",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "LOW",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-12-09T16:18:21.097",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-252"
        },
        {
          "lang": "en",
          "value": "CWE-331"
        },
        {
          "lang": "en",
          "value": "CWE-338"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-252"
        },
        {
          "lang": "en",
          "value": "CWE-338"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.