VDB
CVE-2025-66630
CVE-2025-66630
PUBLISHED
CVSS 9.199999809265137 CRITICAL
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
EPSS 0.02% · 5.9th percentile
Risk Scores
CVSS v4.0
9.199999809265137
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
EPSS Score
0.02%
5.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | gofiber/fiber/v2 | 0, 0, 0 |
| gofiber | fiber | < 2.52.11, 0, 0 |
Timeline
- Feb 9, 2026 CVE Published
- Feb 9, 2026 PoC Published
- Feb 10, 2026 EPSS Score
- Feb 12, 2026 EPSS Score
- Feb 14, 2026 EPSS Score
- Feb 15, 2026 Security Advisory
- Feb 16, 2026 EPSS Score
- Feb 18, 2026 EPSS Score
- Feb 20, 2026 EPSS Score
- Feb 22, 2026 EPSS Score
- Feb 24, 2026 EPSS Score
- Feb 26, 2026 EPSS Score
References
- https://github.com/gofiber/fiber/security/advisories/GHSA-68rr-p4fp-j59v url
- https://github.com/gofiber/fiber/commit/eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1 url
- https://github.com/gofiber/fiber/releases/tag/v2.52.11 url
- https://nvd.nist.gov/vuln/detail/CVE-2025-66630 advisory
- https://github.com/gofiber/fiber package