CVE-2025-66565 PUBLISHED

Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values

Assigner: GitHub_M
Reserved: 04.12.2025 Published: 09.12.2025 Updated: 09.12.2025

Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	None	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	gofiber
Product	utils
Versions	Version github.com/gofiber/utils <= 1.2.0 is affected Version github.com/gofiber/utils/v2 < 2.0.0-rc.4 is affected

References

Problem Types

CWE-252: Unchecked Return Value CWE
CWE-331: Insufficient Entropy CWE
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) CWE