CVE-2025-66565

CRITICAL

Fiber Utils <2.0.0-rc.3 - Info Disclosure

Title source: llm

Description

Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.

References (2)

[Vendor Advisory] https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr

[Patch] https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0009

EPSS Percentile 24.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-331 CWE-252 CWE-338

Status published

Products (4)

gofiber/utils 2.0.0 beta1 (18 CPE variants)

gofiber/utils < 1.2.0

gofiber/utils 0 - 1.2.0Go

gofiber/utils 0 - 2.0.0-rc.4Go

Published Dec 09, 2025

Tracked Since Feb 18, 2026