Security Vulnerability Report
中文
CVE-2025-66565 CVSS 9.8 CRITICAL

CVE-2025-66565

Published: 2025-12-09 16:18:21
Last Modified: 2025-12-11 16:35:07
Source: [email protected]

Description

Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID "00000000-0000-0000-0000-000000000000". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:gofiber:utils:*:*:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:gofiber:utils:2.0.0:beta1:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:gofiber:utils:2.0.0:beta10:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:gofiber:utils:2.0.0:beta11:*:*:*:go:*:* - VULNERABLE
cpe:2.3:a:gofiber:utils:2.0.0:beta12:*:*:*:go:*:* - VULNERABLE
gofiber/utils < 2.0.0-rc.4
Fiber Utils 2.0.0-rc.3及以下版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-66565 PoC - Predictable UUID Generation in Fiber Utils // When crypto/rand fails, Fiber Utils returns predictable UUIDs package main import ( "fmt" "github.com/gofiber/utils" "crypto/rand" "os" ) func main() { // Simulate crypto/rand failure by setting environment // In vulnerable version, when crypto/rand fails: // - utils.NewUUID() returns predictable values // - utils.UUID() returns "00000000-0000-0000-0000-000000000000" fmt.Println("CVE-2025-66565 - Fiber Utils Predictable UUID PoC") fmt.Println("==============================================") // Generate UUIDs - in vulnerable version, these may be predictable uuid1 := utils.NewUUID() uuid2 := utils.UUID() fmt.Printf("UUID1: %s\n", uuid1) fmt.Printf("UUID2: %s\n", uuid2) // Check if zero UUID (indicates crypto/rand failure handling issue) if uuid2 == "00000000-0000-0000-0000-000000000000" { fmt.Println("[VULNERABLE] Zero UUID detected - crypto/rand failure not handled") } // Attack scenario: Predict UUIDs to hijack sessions/perform IDOR // 1. Attacker observes predictable UUID pattern // 2. Attacker predicts future UUIDs // 3. Attacker uses predicted UUIDs for unauthorized access fmt.Println("\nAttack Scenario:") fmt.Println("1. Force crypto/rand failure or observe predictable output") fmt.Println("2. Predict next UUID based on pattern") fmt.Println("3. Use predicted UUID for session hijacking/IDOR attacks") }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66565", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:18:21.097", "lastModified": "2025-12-11T16:35:06.997", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fiber Utils is a collection of common functions created for Fiber. In versions 2.0.0-rc.3 and below, when the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, including the zero UUID \"00000000-0000-0000-0000-000000000000\". The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures, compromising the security of all Fiber applications using these functions for security-critical operations. This issue is fixed in version 2.0.0-rc.4."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-331"}, {"lang": "en", "value": "CWE-338"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-338"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:*:*:*:*:*:go:*:*", "versionEndIncluding": "1.2.0", "matchCriteriaId": "0DBDBC08-F082-4844-85C8-67FDA50F1D96"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta1:*:*:*:go:*:*", "matchCriteriaId": "3CF06202-3EB0-4193-8AB9-E47C120CAE7A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta10:*:*:*:go:*:*", "matchCriteriaId": "CF306733-FDF8-434D-BBE7-007A6FBB2609"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta11:*:*:*:go:*:*", "matchCriteriaId": "C941EF0D-AF47-4BD6-AC68-29F534E78881"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta12:*:*:*:go:*:*", "matchCriteriaId": "830BFD1F-2352-4118-B757-1DC00DCAED64"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta13:*:*:*:go:*:*", "matchCriteriaId": "A047A059-EF1D-48C7-B514-DF7B49538133"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta14:*:*:*:go:*:*", "matchCriteriaId": "EB8029EF-619F-48C5-BA13-E67A78DA3240"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta2:*:*:*:go:*:*", "matchCriteriaId": "244F7B18-D2DA-4F6B-A46B-22B91478E5C3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta3:*:*:*:go:*:*", "matchCriteriaId": "84145762-B2F9-474F-90DE-0D124EB25376"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta4:*:*:*:go:*:*", "matchCriteriaId": "91DCCAA4-F9C6-4380-AAB7-08954DA3E88D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:utils:2.0.0:beta5:*:*:*:go:*:*", "matchCriteriaId": "64BE0DDC-6247-4C85-BBA0-4BC4F7670CDB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:gofiber:ut ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.