CVE-2025-66630
CRITICAL EPSS 37.3%
Published Feb 9, 20264mo ago · Modified Feb 28, 20264mo ago
9.2 CVSS 4.0
Published Feb 9, 2026 4mo ago
Last Modified Feb 28, 2026 4mo ago
Description
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
37.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-338
Affected Products 2
References 3
- github.com https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1
- github.com https://github.com/gofiber/fiber/releases/tag/v2.52.11
- github.com https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v
Remediation
- github.com https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1