CVE-2025-66630

CRITICAL EPSS 37.3%
Published Feb 9, 20264mo ago · Modified Feb 28, 20264mo ago
9.2 CVSS 4.0
Critical
Find Similar
Published Feb 9, 2026 4mo ago
Last Modified Feb 28, 2026 4mo ago

Description

Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.

CVSS Details

Base Score
9.2
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
37.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-338

Affected Products 2

VendorProductVersionRange
gofiberfiber* <2.52.11
golanggo* <1.24.0

References 3

  • github.com https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1
    Patch
  • github.com https://github.com/gofiber/fiber/releases/tag/v2.52.11
    ProductRelease Notes
  • github.com https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v
    Vendor Advisory

Remediation

  • github.com https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1
    Patch