CVE-2025-66630
Published: 09 February 2026
Summary
CVE-2025-66630 is a critical-severity PRNG (CWE-338) vulnerability in Gofiber Fiber. Its CVSS base score is 9.4 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of the Fiber framework flaw in CVE-2025-66630 by upgrading to v2.52.11 to eliminate predictable UUID generation.
Vulnerability monitoring and scanning detects deployments of vulnerable Fiber versions prior to 2.52.11 on Go <1.24, enabling proactive remediation.
Ensures receipt and dissemination of security advisories like GHSA-68rr-p4fp-j59v for CVE-2025-66630, prompting immediate action on the weak randomness issue.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Fiber web framework enables remote unauthenticated exploitation via predictable security tokens (sessions/CSRF/rate-limit IDs) from weak RNG.
NVD Description
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber…
more
v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
Deeper analysisAI
CVE-2025-66630 affects Fiber, an Express-inspired web framework written in Go, specifically versions prior to 2.52.11 when running on Go versions before 1.24. The vulnerability stems from Fiber v2 UUID functions, such as utils.UUIDv4(), which fail to propagate errors from the underlying crypto/rand implementation. If secure randomness cannot be obtained, these functions silently return predictable, repeated, or low-entropy identifiers without alerting application code. This issue, classified under CWE-338 (use of cryptographically weak random number generator), has a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L) due to its potential impact on security-critical components.
Attackers can exploit this vulnerability remotely without authentication or user interaction by targeting applications using affected Fiber middleware, such as session management, CSRF protection, rate limiting, or request-ID generation, which default to the flawed UUIDv4(). In environments where crypto/rand errors occur—such as resource-constrained systems or misconfigured entropy sources—predictable identifiers enable attacks like session fixation or hijacking, CSRF bypasses, rate limit evasion, and request tracking or duplication. The high confidentiality and integrity impacts arise from attackers predicting or colliding with security tokens, potentially leading to unauthorized access or data manipulation.
Mitigation is available in Fiber version 2.52.11, which addresses the error-handling flaw in UUID functions. Security practitioners should upgrade to this version immediately, verify Go runtime compatibility (ideally 1.24 or later), and audit custom code relying on Fiber's UUID utilities. Official advisories, including the GitHub security advisory GHSA-68rr-p4fp-j59v, release notes for v2.52.11, and the fixing commit eb874b6f6c5896b968d9b0ab2b56ac7052cb0ee1, provide detailed patch information and reproduction steps.
Details
- CWE(s)