A critical vulnerability has been disclosed in Fiber, the Go web framework, with the flaw tracked as CVE-2025-66630 and a CVSS score of 9.2. The issue arises because Fiber’s UUID generation silently falls back to a zero-valued UUID when secure randomness cannot be obtained on Go versions older than 1.24, exposing session management, CSRF protection and other features that rely on unique identifiers to potential hijacking or data conflicts.
The advisory explains that UUIDv4() and UUID() return the all-zero UUID 00000000-0000-0000-0000-000000000000 instead of failing, creating predictable tokens under certain conditions. This can lead to session hijacking, CSRF token predictability, and data corruption where database records rely on unique IDs.
The vulnerability affects Fiber v2 applications running on older Go versions pre-1.24, and the maintainers have released a fix in Fiber v2.52.11, with a recommendation to upgrade to Go 1.24+ or to upgrade Go to mitigate the issue by ensuring crypto/rand panics rather than returning an error. The article notes that this flaw is more likely in edge environments such as containerized deployments or restricted sandboxes where entropy may be limited.