Critical UUID Flaw in Fiber v2 Framework Enables Session Hijacking

Fiber v2, a popular web framework for the Go programming language, is reported to contain a critical security flaw that allows attackers to bypass security controls due to predictable identifier generation used in session management, CSRF protection and rate-limiting middleware.

The flaw is tracked as CVE-2025-66630 (CVSS score 8.1) - A weak random number generation vulnerability in the internal gofiber/utils module. When the underlying crypto/rand library fails to provide secure entropy, the UUIDv4() and UUID() functions silently fall back to a predictable all-zero UUID (00000000-0000-0000-0000-000000000000). This allows attackers to predict session IDs or CSRF tokens. The framework continues execution with a static value instead of stopping the request when secure randomness is unavailable.

Attackers can hijack user sessions by predicting session IDs or forge CSRF tokens to perform unauthorized actions on behalf of users. Identical "zero-key" UUIDs can cause a denial-of-service (DoS) condition. Multiple requests sharing the same identifier result in internal caches and rate limiters collapsing into a single bucket, causing state corruption and system instability.

This vulnerability affects all versions of Fiber v2 prior to 2.52.11 when running on Go 1.23 or older. Entropy exhaustion is uncommon on modern Linux systems but the risk increases in Docker containers, chroot jails, or embedded devices. In these setups, crypto/rand is more likely to return an error that Fiber v2 ignores. Go 1.24 mitigates this by blocking or panicking when entropy is low, but the framework's internal logic remains flawed on older runtimes.

Organizations should update to Fiber v2 version 2.52.11 and replace internal UUID functions with hardened libraries like google/uuid.