Описание
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
A flaw was found in the Fiber web framework (github.com/gofiber/fiber/v2). On Go versions prior to 1.24, the framework's Universally Unique Identifier (UUID) generation functions do not return an error when the underlying cryptographic randomness source fails. This can cause applications to use predictable or low-entropy UUIDs in security-sensitive areas, such as session management or Cross-Site Request Forgery (CSRF) protection. An attacker could potentially exploit this by leveraging environmental conditions or application-specific weaknesses, which may significantly affect confidentiality and integrity.
Отчет
This vulnerability is classified as Important rather than Critical because exploitation depends on an environmental failure of the randomness source rather than a condition directly controllable by a remote attacker. The flaw does not enable immediate unauthenticated remote code execution or direct system compromise; instead, impact occurs only if crypto/rand fails and the application subsequently relies on predictable UUID values in security-sensitive contexts. Since triggering conditions typically involve misconfigured containers, restricted environments, or degraded entropy sources, successful exploitation requires additional environmental or application-specific weaknesses. Therefore, while confidentiality and integrity can be significantly affected once triggered, the lack of a direct, easily exploitable remote attack path aligns the issue with Important severity rather than Critical.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.7 High
CVSS3
Связанные уязвимости
Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.
Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
EPSS
7.7 High
CVSS3