CVE-2025-66630
Session fixation or hijacking vulnerability in v2 (Go)
What is CVE-2025-66630 About?
This vulnerability in Fiber v2 allows for the generation of predictable UUIDs due to a silent fallback to zero UUIDs when `crypto/rand` fails in Go versions prior to 1.24. This can lead to security-critical bypasses like session hijacking, CSRF token forgery, and authentication replay. Exploitation is relatively easy in misconfigured or resource-constrained environments where `crypto/rand` might fail.
Affected Software
Technical Details
Fiber v2 utilizes an internal vendored copy of gofiber/utils, including its UUIDv4() and UUID() functions. On Go versions older than 1.24, if the underlying crypto/rand implementation encounters an error (e.g., due to entropy exhaustion or source failures), these Fiber v2 UUID functions do not return an error but silently fall back to generating the all-zero UUID (00000000-0000-0000-0000-000000000000). This occurs because no error is explicitly returned by the Fiber v2 UUID functions, causing applications to unknowingly rely on predictable identifiers. Many Fiber v2 middleware components, such as session management, CSRF protection, and rate limiting, default to using utils.UUIDv4(), making them susceptible to predictable ID generation. Attack vectors include the use of these predictable values to bypass session, CSRF, and authentication mechanisms, or to trigger denial-of-service conditions by causing key-based structures to collapse under a single shared zero UUID.
What is the Impact of CVE-2025-66630?
Successful exploitation may allow attackers to hijack user sessions, forge CSRF tokens, perform authentication replay attacks, or cause denial-of-service by collapsing key-based data structures. This can compromise confidentiality, integrity, and authorization logic that relies on UUIDs for uniqueness or secrecy.
What is the Exploitability of CVE-2025-66630?
The exploitability of this vulnerability is moderate and does not require authentication or specific privileges, operating remotely. It primarily affects Fiber v2 users running on Go versions 1.23 or earlier. The core condition for exploitation is the failure of the crypto/rand source to provide secure randomness, which can occur in specific environments like containerized deployments, restricted sandboxes, or systems with misconfigured or degraded random number generators. While entropy exhaustion is rare on modern Linux, crypto/rand source failures are more likely in non-standard or resource-constrained environments, increasing the likelihood of silent predictable UUID generation. No special conditions are required from the attacker beyond triggering the vulnerable UUID generation under these environmental constraints.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-66630?
Available Upgrade Options
- github.com/gofiber/fiber/v2
- <2.52.11 → Upgrade to 2.52.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-68rr-p4fp-j59v
- https://nvd.nist.gov/vuln/detail/CVE-2025-66630
- https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v
- https://github.com/gofiber/fiber
- https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1
- https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v
- https://github.com/gofiber/fiber/releases/tag/v2.52.11
- https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1
- https://github.com/gofiber/fiber/releases/tag/v2.52.11
What are Similar Vulnerabilities to CVE-2025-66630?
Similar Vulnerabilities: CVE-2023-45142 , CVE-2023-45803 , CVE-2022-29007 , CVE-2020-28498 , CVE-2016-1000027
