2438199 – (CVE-2025-66630) CVE-2025-66630 github.com/gofiber/fiber/v2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses

Bug 2438199 (CVE-2025-66630) - CVE-2025-66630 github.com/gofiber/fiber/v2: Fiber: Predictable UUIDs from randomness source errors can lead to security bypasses

Summary: CVE-2025-66630 github.com/gofiber/fiber/v2: Fiber: Predictable UUIDs from ran...

Keywords:
Status:	NEW
Alias:	CVE-2025-66630
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2438803 2438804 2438805 2438806
Blocks:
TreeView+	depends on / blocked

Reported:	2026-02-09 20:01 UTC by OSIDB Bzimport
Modified:	2026-02-11 05:54 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-02-09 20:01:34 UTC

Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.

Note You need to log in before you can comment on or make changes to this bug.