CWE-252
AllowedUnchecked Return Value
Abstraction: Base · Status: Draft
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
227 vulnerabilities reference this CWE, most recent first.
GHSA-J448-FPW2-XVGR
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-09-25 18:30In the Linux kernel, the following vulnerability has been resolved:
ALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()
scarlett2_usb_set_config() calls scarlett2_usb_get() but was not checking the result. Return the error if it fails rather than continuing with an invalid value.
{
"affected": [],
"aliases": [
"CVE-2023-52692"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T15:15:20Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error check to scarlett2_usb_set_config()\n\nscarlett2_usb_set_config() calls scarlett2_usb_get() but was not\nchecking the result. Return the error if it fails rather than\ncontinuing with an invalid value.",
"id": "GHSA-j448-fpw2-xvgr",
"modified": "2025-09-25T18:30:28Z",
"published": "2024-05-17T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52692"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/145c5aa51486171025ab47f35cff34bff8d0cea3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/51d5697e1c0380d482c3eab002bfc8d0be177e99"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/996fde492ad9b9563ee483b363af40d7696a8467"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/be96acd3eaa790d10a5b33e65267f52d02f6ad88"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/ca459dfa7d4ed9098fcf13e410963be6ae9b6bf3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JCQP-6R6F-3MFX
Vulnerability from github – Published: 2026-05-18 20:36 – Updated: 2026-06-11 14:05When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-HDRI-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q16-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-AnyCPU"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-OpenMP-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-arm64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x64"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "NuGet",
"name": "Magick.NET-Q8-x86"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "14.13.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-46521"
],
"database_specific": {
"cwe_ids": [
"CWE-131",
"CWE-252",
"CWE-787",
"CWE-835"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-18T20:36:53Z",
"nvd_published_at": "2026-06-10T23:16:46Z",
"severity": "MODERATE"
},
"details": "When using LZMA compression in the MIFF encoder an out of bounds write can occur due to a missing check.",
"id": "GHSA-jcqp-6r6f-3mfx",
"modified": "2026-06-11T14:05:56Z",
"published": "2026-05-18T20:36:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-jcqp-6r6f-3mfx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46521"
},
{
"type": "PACKAGE",
"url": "https://github.com/ImageMagick/ImageMagick"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "ImageMagick: Heap Buffer Over-Write in MIFF encoder when using LZMA compression"
}
GHSA-JF8H-PRQ4-W478
Vulnerability from github – Published: 2022-10-19 12:00 – Updated: 2022-10-21 19:01Cryptographic issue in WLAN due to improper check on return value while authentication handshake in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking
{
"affected": [],
"aliases": [
"CVE-2022-25718"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-10-19T11:15:00Z",
"severity": "CRITICAL"
},
"details": "Cryptographic issue in WLAN due to improper check on return value while authentication handshake in Snapdragon Auto, Snapdragon Connectivity, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice \u0026 Music, Snapdragon Wearables, Snapdragon Wired Infrastructure and Networking",
"id": "GHSA-jf8h-prq4-w478",
"modified": "2022-10-21T19:01:20Z",
"published": "2022-10-19T12:00:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25718"
},
{
"type": "WEB",
"url": "https://www.qualcomm.com/company/product-security/bulletins/october-2022-bulletin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JJRM-H8PR-RF2F
Vulnerability from github – Published: 2024-01-23 15:30 – Updated: 2025-11-04 00:30An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122.
{
"affected": [],
"aliases": [
"CVE-2024-0743"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-23T14:15:38Z",
"severity": "HIGH"
},
"details": "An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox \u003c 122.",
"id": "GHSA-jjrm-h8pr-rf2f",
"modified": "2025-11-04T00:30:44Z",
"published": "2024-01-23T15:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0743"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1867408"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00010.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00022.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00028.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00028.html"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-01"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-13"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2024-14"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JMJP-PPJM-P747
Vulnerability from github – Published: 2022-04-28 00:00 – Updated: 2022-05-06 00:01In Eclipse Openj9 before version 0.32.0, Java 8 & 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.
{
"affected": [],
"aliases": [
"CVE-2021-41041"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-27T02:15:00Z",
"severity": "MODERATE"
},
"details": "In Eclipse Openj9 before version 0.32.0, Java 8 \u0026 11 fail to throw the exception captured during bytecode verification when verification is triggered by a MethodHandle invocation, allowing unverified methods to be invoked using MethodHandles.",
"id": "GHSA-jmjp-ppjm-p747",
"modified": "2022-05-06T00:01:09Z",
"published": "2022-04-28T00:00:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41041"
},
{
"type": "WEB",
"url": "https://github.com/eclipse-openj9/openj9/pull/14935"
},
{
"type": "WEB",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=579744"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M69R-9G56-7MV8
Vulnerability from github – Published: 2022-09-25 00:00 – Updated: 2023-09-06 18:54HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul’s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/consul"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.11.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/consul"
},
"ranges": [
{
"events": [
{
"introduced": "1.12.0"
},
{
"fixed": "1.12.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/hashicorp/consul"
},
"ranges": [
{
"events": [
{
"introduced": "1.13.0"
},
{
"fixed": "1.13.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-40716"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-29T14:39:58Z",
"nvd_published_at": "2022-09-23T12:15:00Z",
"severity": "MODERATE"
},
"details": "HashiCorp Consul and Consul Enterprise versions prior to 1.11.9, 1.12.5, and 1.13.2 do not check for multiple SAN URI values in a CSR on the internal RPC endpoint, enabling leverage of privileged access to bypass service mesh intentions. A specially crafted CSR sent directly to Consul\u2019s internal server agent RPC endpoint can include multiple SAN URI values with additional service names. This issue has been fixed in versions 1.11.9, 1.12.5, and 1.13.2. There are no known workarounds.",
"id": "GHSA-m69r-9g56-7mv8",
"modified": "2023-09-06T18:54:15Z",
"published": "2022-09-25T00:00:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40716"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/consul/pull/14579"
},
{
"type": "WEB",
"url": "https://github.com/hashicorp/consul/commit/8f6fb4f6fe9488b8ec37da71ac503081d7d3760b"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com"
},
{
"type": "WEB",
"url": "https://discuss.hashicorp.com/t/hcsec-2022-20-consul-service-mesh-intention-bypass-with-malicious-certificate-signing-request/44628"
},
{
"type": "PACKAGE",
"url": "https://github.com/hashicorp/consul"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LYZOKMMVX4SIEHPJW3SJUQGMO5YZCPHC"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZTE4ITXXPIWZEQ4HYQCB6N6GZIMWXDAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "HashiCorp Consul vulnerable to authorization bypass"
}
GHSA-M98W-CQP3-QCQR
Vulnerability from github – Published: 2025-12-08 17:57 – Updated: 2025-12-12 16:30Summary
Critical security vulnerabilities exist in both the UUIDv4() and UUID() functions of the github.com/gofiber/utils package. When the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, the zero UUID "00000000-0000-0000-0000-000000000000". This compromises the security of all Fiber applications using these functions for security-critical operations on Go versions prior to 1.24.
Both functions are vulnerable to the same root cause (crypto/rand failure):
UUIDv4(): Indirect vulnerability throughuuid.NewRandom()→crypto/rand.Read()→ fallback toUUID()UUID(): Direct vulnerability throughcrypto/rand.Read(uuidSeed[:])→ silent zero UUID return
Note: Go 1.24 and later panics on
crypto/randRead()failures, mitigating this vulnerability. Applications running on Go 1.24+ are not affected by the silent fallback behavior.
Vulnerability Details
Affected Functions
- Package:
github.com/gofiber/utils - Functions:
UUIDv4()andUUID() - Return Type:
string(both functions) - Locations:
common.go:93-99(UUIDv4),common.go:60-89(UUID)
Technical Description
The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures on Go < 1.24:
Primary Path: UUIDv4() Vulnerability
UUIDv4()callsgoogle/uuid.NewRandom()which internally usescrypto/rand.Read()- If
uuid.NewRandom()fails,UUIDv4()falls back to the internalUUID()function - No error is returned to the application - silent security failure occurs
Secondary Path: UUID() Vulnerability
UUID()directly callscrypto/rand.Read(uuidSeed[:])to seed its internal state- If seeding fails,
UUID()silently fails and returns the zero UUID"00000000-0000-0000-0000-000000000000" - Applications receive predictable UUIDs with no indication of the security failure
Code Analysis
UUIDv4() Vulnerability Path
func UUIDv4() string {
token, err := uuid.NewRandom() // Uses crypto/rand.Read() internally
if err != nil {
return UUID() // Dangerous fallback - no error returned to application
}
return token.String()
}
UUID() Vulnerability Path
func UUID() string {
uuidSetup.Do(func() {
if _, err := rand.Read(uuidSeed[:]); err != nil { // Direct crypto/rand.Read() call
return // Silent failure - no seeding, uuidCounter remains 0
}
uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])
})
if atomic.LoadUint64(&uuidCounter) <= 0 {
return "00000000-0000-0000-0000-000000000000" // Zero UUID returned silently
}
// ... generate UUID from counter
}
Root Cause: Both vulnerabilities stem from crypto/rand.Read() failures, occurring through different code paths with the same dangerous silent fallback behavior.
Security Impact
Severity: CRITICAL
This issue is especially severe because many Fiber middleware packages (session, CSRF, auth, rate-limit, request-ID, etc.) default to utils.UUIDv4() for generating security-sensitive identifiers. A failure in crypto/rand would cause every generated identifier across the entire application to collapse to a single predictable value (the zero UUID), resulting in:
- Session fixation / universal session hijack
- CSRF token predictability and bypass
- Authentication token replay
- Global identifier collisions leading to severe application breakage
- Potential application-wide DoS due to every request using the same “unique” key, causing cache overwrites, session stomping, corrupted internal maps, and loss of isolation across all users
Attack Scenario
While entropy exhaustion is extremely rare on modern Linux systems, RNG access failures (e.g., restricted /dev/random or /dev/urandom access, broken container environments, sandbox restrictions, misconfigured VMs, or FIPS-mode RNG failures) are realistic. In these scenarios on Go < 1.24, crypto/rand may return errors immediately — triggering the vulnerable fallback paths.
On Go 1.24+, crypto/rand Read() panics on failure, mitigating the silent-zero fallback issue.
Proof of Concept
uuid.NewRandom()fails (indirectcrypto/rand.Read()failure)UUIDv4()callsUUID()as fallback with no error returnedUUID()seeding fails directly viacrypto/rand.Read(uuidSeed[:])- Zero UUID
"00000000-0000-0000-0000-000000000000"is returned silently - No error is propagated to the application from either function
Affected Versions
- All versions of
github.com/gofiber/utilscontaining theUUIDv4()orUUID()functions - Applications using Fiber middleware that depend on
UUIDv4()orUUIDfor security - Only applicable to Go < 1.24; Go 1.24+ panics/block on
crypto/randRead()failures and is not affected
Mitigation
Immediate Workaround
Replace usage of utils.UUIDv4() with uuid.New() or wait for fix:
sessionID := uuid.New()
Recommended Fix
Modify utils.UUIDv4() and utils.UUID() to fail explicitly when cryptographic randomness is unavailable:
func UUIDv4() string {
token, err := uuid.NewRandom()
if err != nil {
panic(fmt.Sprintf("utils: failed to generate secure UUID: %v", err))
}
return token.String()
}
func UUID() string {
uuidSetup.Do(func() {
if _, err := rand.Read(uuidSeed[:]); err != nil {
panic(fmt.Sprintf("utils: failed to seed UUID generator: %v", err))
}
uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])
})
if atomic.LoadUint64(&uuidCounter) <= 0 {
panic("utils: UUID generator not properly seeded")
}
// ... generate UUID from counter
}
Detection
Applications can detect if they're affected by:
- Checking if they use
github.com/gofiber/utils - Searching for
UUIDv4()andUUID()usage in security-critical code paths - Reviewing Fiber middleware configurations that rely on defaults of
UUIDv4()for security identifiers
References
- Package Repository: https://github.com/gofiber/utils
- Fiber Framework: https://github.com/gofiber/fiber
- Google UUID Library: https://github.com/google/uuid
- Golang
crypto/randbehavior changes: golang/go#66821, Go 1.25.5 source
Contact
Reported by: @sixcolors
Classification
- OWASP: A02:2021 - Cryptographic Failures
- Impact: Complete compromise of application security model on Go < 1.24
- Exploitability: Medium (requires entropy failure)
- Scope: All Fiber applications using affected middleware on Go < 1.24
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.0.0-rc.3.0.20251205210924-6c6cf047032b"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gofiber/utils/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-rc.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gofiber/utils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66565"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-331",
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-08T17:57:26Z",
"nvd_published_at": "2025-12-09T16:18:21Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nCritical security vulnerabilities exist in both the `UUIDv4()` and `UUID()` functions of the `github.com/gofiber/utils` package. When the system\u0027s cryptographic random number generator (`crypto/rand`) fails, both functions silently fall back to returning predictable UUID values, the zero UUID `\"00000000-0000-0000-0000-000000000000\"`. This compromises the security of all Fiber applications using these functions for security-critical operations on **Go versions prior to 1.24**.\n\n**Both functions are vulnerable to the same root cause (`crypto/rand` failure):**\n\n* `UUIDv4()`: Indirect vulnerability through `uuid.NewRandom()` \u2192 `crypto/rand.Read()` \u2192 fallback to `UUID()`\n* `UUID()`: Direct vulnerability through `crypto/rand.Read(uuidSeed[:])` \u2192 silent zero UUID return\n\n\u003e **Note:** Go 1.24 and later panics on `crypto/rand` `Read()` failures, mitigating this vulnerability. Applications running on Go 1.24+ are not affected by the silent fallback behavior.\n\n---\n\n## Vulnerability Details\n\n### Affected Functions\n\n* **Package**: `github.com/gofiber/utils`\n* **Functions**: `UUIDv4()` and `UUID()`\n* **Return Type**: `string` (both functions)\n* **Locations**: `common.go:93-99` (UUIDv4), `common.go:60-89` (UUID)\n\n### Technical Description\n\nThe vulnerability occurs through two related but distinct failure paths, both ultimately caused by `crypto/rand.Read()` failures on Go \u003c 1.24:\n\n#### Primary Path: UUIDv4() Vulnerability\n\n1. `UUIDv4()` calls `google/uuid.NewRandom()` which internally uses `crypto/rand.Read()`\n2. If `uuid.NewRandom()` fails, `UUIDv4()` falls back to the internal `UUID()` function\n3. **No error is returned to the application** - silent security failure occurs\n\n#### Secondary Path: UUID() Vulnerability\n\n1. `UUID()` directly calls `crypto/rand.Read(uuidSeed[:])` to seed its internal state\n2. If seeding fails, `UUID()` **silently fails** and returns the zero UUID `\"00000000-0000-0000-0000-000000000000\"`\n3. Applications receive predictable UUIDs with no indication of the security failure\n\n---\n\n### Code Analysis\n\n#### UUIDv4() Vulnerability Path\n\n```go\nfunc UUIDv4() string {\n\ttoken, err := uuid.NewRandom() // Uses crypto/rand.Read() internally\n\tif err != nil {\n\t\treturn UUID() // Dangerous fallback - no error returned to application\n\t}\n\treturn token.String()\n}\n```\n\n#### UUID() Vulnerability Path\n\n```go\nfunc UUID() string {\n\tuuidSetup.Do(func() {\n\t\tif _, err := rand.Read(uuidSeed[:]); err != nil { // Direct crypto/rand.Read() call\n\t\t\treturn // Silent failure - no seeding, uuidCounter remains 0\n\t\t}\n\t\tuuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])\n\t})\n\tif atomic.LoadUint64(\u0026uuidCounter) \u003c= 0 {\n\t\treturn \"00000000-0000-0000-0000-000000000000\" // Zero UUID returned silently\n\t}\n\t// ... generate UUID from counter\n}\n```\n\n**Root Cause:** Both vulnerabilities stem from `crypto/rand.Read()` failures, occurring through different code paths with the same dangerous silent fallback behavior.\n\n---\n\n## Security Impact\n\n### Severity: CRITICAL\n\nThis issue is especially severe because many Fiber middleware packages (session, CSRF, auth, rate-limit, request-ID, etc.) default to `utils.UUIDv4()` for generating security-sensitive identifiers. A failure in `crypto/rand` would cause **every generated identifier across the entire application** to collapse to a single predictable value (the zero UUID), resulting in:\n\n* **Session fixation / universal session hijack**\n* **CSRF token predictability and bypass**\n* **Authentication token replay**\n* **Global identifier collisions leading to severe application breakage**\n* **Potential application-wide DoS** due to every request using the same \u201cunique\u201d key, causing cache overwrites, session stomping, corrupted internal maps, and loss of isolation across all users\n\n---\n\n### Attack Scenario\n\nWhile **entropy exhaustion is extremely rare on modern Linux systems**, *RNG access failures* (e.g., restricted `/dev/random` or `/dev/urandom` access, broken container environments, sandbox restrictions, misconfigured VMs, or FIPS-mode RNG failures) are realistic. In these scenarios on **Go \u003c 1.24**, `crypto/rand` may return errors immediately \u2014 triggering the vulnerable fallback paths.\n\nOn **Go 1.24+**, `crypto/rand` `Read()` panics on failure, mitigating the silent-zero fallback issue.\n\n---\n\n### Proof of Concept\n\n1. `uuid.NewRandom()` fails (indirect `crypto/rand.Read()` failure)\n2. `UUIDv4()` calls `UUID()` as fallback with no error returned\n3. `UUID()` seeding fails directly via `crypto/rand.Read(uuidSeed[:])`\n4. Zero UUID `\"00000000-0000-0000-0000-000000000000\"` is returned silently\n5. No error is propagated to the application from either function\n\n---\n\n## Affected Versions\n\n* All versions of `github.com/gofiber/utils` containing the `UUIDv4()` or `UUID()` functions\n* Applications using Fiber middleware that depend on `UUIDv4()` or `UUID` for security\n* **Only applicable to Go \u003c 1.24**; Go 1.24+ panics/block on `crypto/rand` `Read()` failures and is not affected\n\n---\n\n## Mitigation\n\n### Immediate Workaround\n\nReplace usage of `utils.UUIDv4()` with `uuid.New()` or wait for fix:\n\n```go\nsessionID := uuid.New()\n```\n\n### Recommended Fix\n\nModify `utils.UUIDv4()` and `utils.UUID()` to fail explicitly when cryptographic randomness is unavailable:\n\n```go\nfunc UUIDv4() string {\n\ttoken, err := uuid.NewRandom()\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"utils: failed to generate secure UUID: %v\", err))\n\t}\n\treturn token.String()\n}\n\nfunc UUID() string {\n uuidSetup.Do(func() {\n if _, err := rand.Read(uuidSeed[:]); err != nil {\n panic(fmt.Sprintf(\"utils: failed to seed UUID generator: %v\", err))\n }\n uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])\n })\n if atomic.LoadUint64(\u0026uuidCounter) \u003c= 0 {\n panic(\"utils: UUID generator not properly seeded\")\n }\n // ... generate UUID from counter\n}\n```\n\n---\n\n## Detection\n\nApplications can detect if they\u0027re affected by:\n\n1. Checking if they use `github.com/gofiber/utils`\n2. Searching for `UUIDv4()` and `UUID()` usage in security-critical code paths\n3. Reviewing Fiber middleware configurations that rely on defaults of `UUIDv4()` for security identifiers\n\n---\n\n## References\n\n* **Package Repository**: [https://github.com/gofiber/utils](https://github.com/gofiber/utils)\n* **Fiber Framework**: [https://github.com/gofiber/fiber](https://github.com/gofiber/fiber)\n* **Google UUID Library**: [https://github.com/google/uuid](https://github.com/google/uuid)\n* Golang `crypto/rand` behavior changes: [golang/go#66821](https://github.com/golang/go/issues/66821), [Go 1.25.5 source](https://cs.opensource.google/go/go/+/refs/tags/go1.25.5:src/crypto/rand/rand.go;l=80)\n\n---\n\n## Contact\n\nReported by: [@sixcolors](https://github.com/sixcolors)\n\n---\n\n## Classification\n\n* **OWASP**: A02:2021 - Cryptographic Failures\n* **Impact**: Complete compromise of application security model on Go \u003c 1.24\n* **Exploitability**: Medium (requires entropy failure)\n* **Scope**: All Fiber applications using affected middleware on Go \u003c 1.24",
"id": "GHSA-m98w-cqp3-qcqr",
"modified": "2025-12-12T16:30:26Z",
"published": "2025-12-08T17:57:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66565"
},
{
"type": "WEB",
"url": "https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47"
},
{
"type": "PACKAGE",
"url": "https://github.com/gofiber/utils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values"
}
GHSA-M9H3-F3G9-FQRF
Vulnerability from github – Published: 2022-05-02 06:10 – Updated: 2024-01-21 03:30The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not check the return value of a call to the smr_normalize function, which allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a modrdn call with an RDN string containing invalid UTF-8 sequences, which triggers a free of an invalid, uninitialized pointer in the slap_mods_free function, as demonstrated using the Codenomicon LDAPv3 test suite.
{
"affected": [],
"aliases": [
"CVE-2010-0211"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2010-07-28T12:48:00Z",
"severity": "MODERATE"
},
"details": "The slap_modrdn2mods function in modrdn.c in OpenLDAP 2.4.22 does not check the return value of a call to the smr_normalize function, which allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a modrdn call with an RDN string containing invalid UTF-8 sequences, which triggers a free of an invalid, uninitialized pointer in the slap_mods_free function, as demonstrated using the Codenomicon LDAPv3 test suite.",
"id": "GHSA-m9h3-f3g9-fqrf",
"modified": "2024-01-21T03:30:24Z",
"published": "2022-05-02T06:10:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2010-0211"
},
{
"type": "WEB",
"url": "http://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10705"
},
{
"type": "WEB",
"url": "http://lists.apple.com/archives/security-announce/2010//Nov/msg00000.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/40639"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/40677"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/40687"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/42787"
},
{
"type": "WEB",
"url": "http://security.gentoo.org/glsa/glsa-201406-36.xml"
},
{
"type": "WEB",
"url": "http://support.apple.com/kb/HT4435"
},
{
"type": "WEB",
"url": "http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6570"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0542.html"
},
{
"type": "WEB",
"url": "http://www.redhat.com/support/errata/RHSA-2010-0543.html"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/515545/100/0/threaded"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/41770"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id?1024221"
},
{
"type": "WEB",
"url": "http://www.vmware.com/security/advisories/VMSA-2011-0001.html"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1849"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2010/1858"
},
{
"type": "WEB",
"url": "http://www.vupen.com/english/advisories/2011/0025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MF8V-4V5X-G329
Vulnerability from github – Published: 2024-05-17 15:31 – Updated: 2025-09-25 18:30In the Linux kernel, the following vulnerability has been resolved:
ALSA: scarlett2: Add missing error checks to *_ctl_get()
The ctl_get() functions which call scarlett2_update() were not checking the return value. Fix to check the return value and pass to the caller.
{
"affected": [],
"aliases": [
"CVE-2023-52680"
],
"database_specific": {
"cwe_ids": [
"CWE-252"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-17T15:15:19Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: scarlett2: Add missing error checks to *_ctl_get()\n\nThe *_ctl_get() functions which call scarlett2_update_*() were not\nchecking the return value. Fix to check the return value and pass to\nthe caller.",
"id": "GHSA-mf8v-4v5x-g329",
"modified": "2025-09-25T18:30:28Z",
"published": "2024-05-17T15:31:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52680"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/3a09488f4f67f7ade59b8ac62a6c7fb29439cf51"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/50603a67daef161c78c814580d57f7f0be57167e"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/773e38f73461ef2134a0d33a08f1668edde9b7c3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/821fbaeaaae23d483d3df799fe91ec8045973ec3"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/cda7762bea857e6951315a2f7d0632ea1850ed43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-MFRM-W63C-3X58
Vulnerability from github – Published: 2025-04-08 03:32 – Updated: 2025-11-03 21:33In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.
{
"affected": [],
"aliases": [
"CVE-2025-32414"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-393"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-08T03:15:15Z",
"severity": "MODERATE"
},
"details": "In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.",
"id": "GHSA-mfrm-w63c-3x58",
"modified": "2025-11-03T21:33:30Z",
"published": "2025-04-08T03:32:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32414"
},
{
"type": "WEB",
"url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00041.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-53
Check the results of all functions that return a value and verify that the value is expected.
Mitigation MIT-56
For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
Mitigation
Ensure that you account for all possible return values from the function.
Mitigation
When designing a function, make sure you return a value or throw an exception in case of an error.
No CAPEC attack patterns related to this CWE.