GHSA-68rr-p4fp-j59v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-68rr-p4fp-j59v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-68rr-p4fp-j59v/GHSA-68rr-p4fp-j59v.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-68rr-p4fp-j59v
- Aliases
- Published
- 2026-02-09T15:28:37Z
- Modified
- 2026-02-09T19:16:07.902449Z
- Severity
-
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Fiber has an insecure fallback in utils.UUIDv4() / utils.UUID() — predictable / zero‑UUID on crypto/rand failure
- Details
-
Fiber v2 contains an internal vendored copy of
gofiber/utils, and its functionsUUIDv4()andUUID()inherit the same critical weakness described in the upstream advisory. On Go versions prior to 1.24, the underlyingcrypto/randimplementation can return an error if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID00000000-0000-0000-0000-000000000000.On Go 1.24+, the language guarantees that
crypto/randno longer returns an error (it will block or panic instead), so this vulnerability primarily affects Fiber v2 users running Go 1.23 or earlier, which Fiber v2 officially supports.Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using
utils.UUIDv4().Impact includes, but is not limited to:
- Session fixation or hijacking (predictable session IDs)
- CSRF token forgery or bypass
- Authentication replay / token prediction
- Potential denial-of-service (DoS): if the zero UUID is generated, key-based structures (sessions, rate-limits, caches, CSRF stores) may collapse into a single shared key, causing overwrites, lock contention, or state corruption
- Request-ID collisions, undermining logging and trace integrity
- General compromise of confidentiality, integrity, and authorization logic relying on UUIDs for uniqueness or secrecy
All Fiber v2 versions containing the internal
utils.UUIDv4()/utils.UUID()implementation are affected when running on Go <1.24. No patched Fiber v2 release currently exists.
Suggested Mitigations / Workarounds
Update to the latest version of Fiber v2.
Likelihood / Environmental Factors
It’s important to note that entropy exhaustion on modern Linux systems is extremely rare, as the kernel’s CSPRNG is resilient and non-blocking. However, entropy-source failures — where
crypto/randcannot read from its underlying provider — are significantly more likely in certain environments.This includes containerized deployments, restricted sandboxes, misconfigured systems lacking read access to
/dev/urandomor platform-equivalent sources, chrooted or jailed environments, embedded devices, or systems with non-standard or degraded randomness providers. On Go <1.24, such failures causecrypto/randto return an error, which the Fiber v2 UUID functions currently treat as a signal to silently generate predictable UUIDs, including the zero UUID. This silent fallback is the root cause of the vulnerability.
References
- Upstream advisory for
gofiber/utils: GHSA-m98w-cqp3-qcqr Source repositories:
github.com/gofiber/fibergithub.com/gofiber/utils
Credits / Reporter
Reported by @sixcolors (Fiber Maintainer / Security Team)
- Database specific
{ "nvd_published_at": "2026-02-09T18:16:04Z", "cwe_ids": [ "CWE-338" ], "github_reviewed_at": "2026-02-09T15:28:37Z", "severity": "CRITICAL", "github_reviewed": true }- References
Affected packages
Go / github.com/gofiber/fiber/v2
Package
- Name
- github.com/gofiber/fiber/v2
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/gofiber/fiber/v2