Common Weakness Enumeration

CWE-331

Allowed

Insufficient Entropy

Abstraction: Base · Status: Draft

The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.

207 vulnerabilities reference this CWE, most recent first.

GHSA-JGF7-8V7J-FWWH

Vulnerability from github – Published: 2026-02-03 15:30 – Updated: 2026-02-03 15:30
VLAI
Details

Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix 'p', resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1814"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-03T15:16:14Z",
    "severity": "HIGH"
  },
  "details": "Rapid7 Nexpose versions 6.4.50 and later are vulnerable to an insufficient entropy issue in the CredentialsKeyStorePassword.generateRandomPassword() method. When updating legacy keystore passwords, the application generates a new password with insufficient length (7-12 characters) and a static prefix \u0027p\u0027, resulting in a weak keyspace. An attacker with access to the nsc.ks file can brute-force this password using consumer-grade hardware to decrypt stored credentials.",
  "id": "GHSA-jgf7-8v7j-fwwh",
  "modified": "2026-02-03T15:30:24Z",
  "published": "2026-02-03T15:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1814"
    },
    {
      "type": "WEB",
      "url": "https://www.atredis.com/disclosure"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-JQP9-HWJJ-P328

Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2022-05-14 00:56
VLAI
Details

It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2626"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-27T19:29:00Z",
    "severity": "MODERATE"
  },
  "details": "It was discovered that libICE before 1.0.9-8 used a weak entropy to generate keys. A local attacker could potentially use this flaw for session hijacking using the information available from the process list.",
  "id": "GHSA-jqp9-hwjj-p328",
  "modified": "2022-05-14T00:56:29Z",
  "published": "2022-05-14T00:56:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2626"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1865"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2017-2626"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1424992"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2626"
    },
    {
      "type": "WEB",
      "url": "https://cgit.freedesktop.org/xorg/lib/libICE/commit/?id=ff5e59f32255913bb1cdf51441b98c9107ae165b"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201704-03"
    },
    {
      "type": "WEB",
      "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/07/14/3"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96480"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037919"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JQXQ-7F92-M7WW

Vulnerability from github – Published: 2025-03-11 00:31 – Updated: 2025-03-11 03:30
VLAI
Details

Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions.

Crypt::Random::rand 1.05 through 1.55 uses the rand() function. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider.

In particular, Windows versions of perl will encounter this issue by default.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-1828"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331",
      "CWE-338"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-03-11T00:15:11Z",
    "severity": "HIGH"
  },
  "details": "Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions.\n\nCrypt::Random::rand 1.05 through 1.55 uses the rand() function.  If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider.\n\nIn particular, Windows versions of perl will encounter this issue by default.",
  "id": "GHSA-jqxq-7f92-m7ww",
  "modified": "2025-03-11T03:30:49Z",
  "published": "2025-03-11T00:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1828"
    },
    {
      "type": "WEB",
      "url": "https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd025152e76ec918136cc05"
    },
    {
      "type": "WEB",
      "url": "https://perldoc.perl.org/functions/rand"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRCG-6C8X-FF3H

Vulnerability from github – Published: 2024-10-23 18:33 – Updated: 2024-10-23 18:33
VLAI
Details

A vulnerability in the session authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to prevent users from authenticating.

This vulnerability is due to insufficient entropy in the authentication process. An attacker could exploit this vulnerability by determining the handle of an authenticating user and using it to terminate their authentication session. A successful exploit could allow the attacker to force a user to restart the authentication process, preventing a legitimate user from establishing remote access VPN sessions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-20331"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-330",
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-23T17:15:17Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability in the session authentication functionality of the Remote Access SSL VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to prevent users from authenticating.\n\nThis vulnerability is due to insufficient entropy in the authentication process. An attacker could exploit this vulnerability by determining the handle of an authenticating user and using it to terminate their authentication session. A successful exploit could allow the attacker to force a user to restart the authentication process, preventing a legitimate user from establishing remote access VPN sessions.",
  "id": "GHSA-jrcg-6c8x-ff3h",
  "modified": "2024-10-23T18:33:08Z",
  "published": "2024-10-23T18:33:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-20331"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asa-vpn-nyH3fhp"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-fmc-xss-M446vbEO"
    },
    {
      "type": "WEB",
      "url": "https://sec.cloudapps.cisco.com/security/center/viewErp.x?alertId=ERP-75300"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-JRGJ-6P6V-GF22

Vulnerability from github – Published: 2022-08-16 00:00 – Updated: 2022-08-19 00:00
VLAI
Details

dproxy-nexgen (aka dproxy nexgen) uses a static UDP source port (selected randomly only at boot time) in upstream queries sent to DNS resolvers. This allows DNS cache poisoning because there is not enough entropy to prevent traffic injection attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-33989"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-15T13:15:00Z",
    "severity": "MODERATE"
  },
  "details": "dproxy-nexgen (aka dproxy nexgen) uses a static UDP source port (selected randomly only at boot time) in upstream queries sent to DNS resolvers. This allows DNS cache poisoning because there is not enough entropy to prevent traffic injection attacks.",
  "id": "GHSA-jrgj-6p6v-gf22",
  "modified": "2022-08-19T00:00:22Z",
  "published": "2022-08-16T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33989"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/dproxy"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2022/08/14/3"
    },
    {
      "type": "WEB",
      "url": "https://www.usenix.org/conference/usenixsecurity22/presentation/jeitner"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M22W-QPWR-JXRJ

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-2858"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2016-04-07T19:59:00Z",
    "severity": "MODERATE"
  },
  "details": "QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.",
  "id": "GHSA-m22w-qpwr-jxrj",
  "modified": "2022-05-13T01:14:34Z",
  "published": "2022-05-13T01:14:34Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-2858"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1314676"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201604-01"
    },
    {
      "type": "WEB",
      "url": "http://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=60253ed1e6ec6d8e5ef2efe7bf755f475dce9956"
    },
    {
      "type": "WEB",
      "url": "http://git.qemu.org/?p=qemu.git;a=commit;h=60253ed1e6ec6d8e5ef2efe7bf755f475dce9956"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/03/04/1"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/03/07/4"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/84134"
    },
    {
      "type": "WEB",
      "url": "http://www.ubuntu.com/usn/USN-2974-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M24W-QFH4-J8M4

Vulnerability from github – Published: 2022-06-15 00:00 – Updated: 2024-07-09 12:30
VLAI
Details

A vulnerability has been identified in SINEMA Remote Connect Server (All versions < V3.1). An attacker in machine-in-the-middle could obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-27221"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-06-14T10:15:00Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been identified in SINEMA Remote Connect Server (All versions \u003c V3.1). An attacker in machine-in-the-middle could obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a \"BREACH\" attack.",
  "id": "GHSA-m24w-qfh4-j8m4",
  "modified": "2024-07-09T12:30:54Z",
  "published": "2022-06-15T00:00:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27221"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-484086.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-484086.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M7X8-4574-HXW6

Vulnerability from github – Published: 2022-08-09 00:00 – Updated: 2022-08-13 00:00
VLAI
Details

websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1.8 is a version from 2003; however, the affected websda.c code appears in multiple derivative works that may be used in 2021. Recent GoAhead software is unaffected.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-41615"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-08T19:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "websda.c in GoAhead WebServer 2.1.8 has insufficient nonce entropy because the nonce calculation relies on the hardcoded onceuponatimeinparadise value, which does not follow the secret-data guideline for HTTP Digest Access Authentication in RFC 7616 section 3.3 (or RFC 2617 section 3.2.1). NOTE: 2.1.8 is a version from 2003; however, the affected websda.c code appears in multiple derivative works that may be used in 2021. Recent GoAhead software is unaffected.",
  "id": "GHSA-m7x8-4574-hxw6",
  "modified": "2022-08-13T00:00:52Z",
  "published": "2022-08-09T00:00:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41615"
    },
    {
      "type": "WEB",
      "url": "https://devel.rtems.org/browser/rtems/cpukit/httpd/websda.c?rev=c1427d2758079f0e9dd6a8de1662d78e0d6bc4ca"
    },
    {
      "type": "WEB",
      "url": "https://github.com/trenta3/goahead-versions/blob/master/2.1.8/230165webs218.tar.gz?raw=true"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M8VJ-88WQ-7CHF

Vulnerability from github – Published: 2023-12-21 21:30 – Updated: 2023-12-21 21:30
VLAI
Details

An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-46648"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-21T21:15:09Z",
    "severity": "HIGH"
  },
  "details": "An insufficient entropy vulnerability was identified in GitHub Enterprise Server (GHES) that allowed an attacker to brute force a user invitation to the GHES Management Console. To exploit this vulnerability, an attacker would need knowledge that a user invitation was pending. This vulnerability affected all versions of GitHub Enterprise Server since 3.8 and was fixed in version 3.8.12, 3.9.7, 3.10.4, and 3.11.1. This vulnerability was reported via the GitHub Bug Bounty program.\n",
  "id": "GHSA-m8vj-88wq-7chf",
  "modified": "2023-12-21T21:30:31Z",
  "published": "2023-12-21T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46648"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.4"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.1"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.8/admin/release-notes#3.8.12"
    },
    {
      "type": "WEB",
      "url": "https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.7"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-M98W-CQP3-QCQR

Vulnerability from github – Published: 2025-12-08 17:57 – Updated: 2025-12-12 16:30
VLAI
Summary
Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values
Details

Summary

Critical security vulnerabilities exist in both the UUIDv4() and UUID() functions of the github.com/gofiber/utils package. When the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, the zero UUID "00000000-0000-0000-0000-000000000000". This compromises the security of all Fiber applications using these functions for security-critical operations on Go versions prior to 1.24.

Both functions are vulnerable to the same root cause (crypto/rand failure):

  • UUIDv4(): Indirect vulnerability through uuid.NewRandom()crypto/rand.Read() → fallback to UUID()
  • UUID(): Direct vulnerability through crypto/rand.Read(uuidSeed[:]) → silent zero UUID return

Note: Go 1.24 and later panics on crypto/rand Read() failures, mitigating this vulnerability. Applications running on Go 1.24+ are not affected by the silent fallback behavior.


Vulnerability Details

Affected Functions

  • Package: github.com/gofiber/utils
  • Functions: UUIDv4() and UUID()
  • Return Type: string (both functions)
  • Locations: common.go:93-99 (UUIDv4), common.go:60-89 (UUID)

Technical Description

The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures on Go < 1.24:

Primary Path: UUIDv4() Vulnerability

  1. UUIDv4() calls google/uuid.NewRandom() which internally uses crypto/rand.Read()
  2. If uuid.NewRandom() fails, UUIDv4() falls back to the internal UUID() function
  3. No error is returned to the application - silent security failure occurs

Secondary Path: UUID() Vulnerability

  1. UUID() directly calls crypto/rand.Read(uuidSeed[:]) to seed its internal state
  2. If seeding fails, UUID() silently fails and returns the zero UUID "00000000-0000-0000-0000-000000000000"
  3. Applications receive predictable UUIDs with no indication of the security failure

Code Analysis

UUIDv4() Vulnerability Path

func UUIDv4() string {
    token, err := uuid.NewRandom()  // Uses crypto/rand.Read() internally
    if err != nil {
        return UUID()  // Dangerous fallback - no error returned to application
    }
    return token.String()
}

UUID() Vulnerability Path

func UUID() string {
    uuidSetup.Do(func() {
        if _, err := rand.Read(uuidSeed[:]); err != nil {  // Direct crypto/rand.Read() call
            return  // Silent failure - no seeding, uuidCounter remains 0
        }
        uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])
    })
    if atomic.LoadUint64(&uuidCounter) <= 0 {
        return "00000000-0000-0000-0000-000000000000"  // Zero UUID returned silently
    }
    // ... generate UUID from counter
}

Root Cause: Both vulnerabilities stem from crypto/rand.Read() failures, occurring through different code paths with the same dangerous silent fallback behavior.


Security Impact

Severity: CRITICAL

This issue is especially severe because many Fiber middleware packages (session, CSRF, auth, rate-limit, request-ID, etc.) default to utils.UUIDv4() for generating security-sensitive identifiers. A failure in crypto/rand would cause every generated identifier across the entire application to collapse to a single predictable value (the zero UUID), resulting in:

  • Session fixation / universal session hijack
  • CSRF token predictability and bypass
  • Authentication token replay
  • Global identifier collisions leading to severe application breakage
  • Potential application-wide DoS due to every request using the same “unique” key, causing cache overwrites, session stomping, corrupted internal maps, and loss of isolation across all users

Attack Scenario

While entropy exhaustion is extremely rare on modern Linux systems, RNG access failures (e.g., restricted /dev/random or /dev/urandom access, broken container environments, sandbox restrictions, misconfigured VMs, or FIPS-mode RNG failures) are realistic. In these scenarios on Go < 1.24, crypto/rand may return errors immediately — triggering the vulnerable fallback paths.

On Go 1.24+, crypto/rand Read() panics on failure, mitigating the silent-zero fallback issue.


Proof of Concept

  1. uuid.NewRandom() fails (indirect crypto/rand.Read() failure)
  2. UUIDv4() calls UUID() as fallback with no error returned
  3. UUID() seeding fails directly via crypto/rand.Read(uuidSeed[:])
  4. Zero UUID "00000000-0000-0000-0000-000000000000" is returned silently
  5. No error is propagated to the application from either function

Affected Versions

  • All versions of github.com/gofiber/utils containing the UUIDv4() or UUID() functions
  • Applications using Fiber middleware that depend on UUIDv4() or UUID for security
  • Only applicable to Go < 1.24; Go 1.24+ panics/block on crypto/rand Read() failures and is not affected

Mitigation

Immediate Workaround

Replace usage of utils.UUIDv4() with uuid.New() or wait for fix:

sessionID := uuid.New()

Recommended Fix

Modify utils.UUIDv4() and utils.UUID() to fail explicitly when cryptographic randomness is unavailable:

func UUIDv4() string {
    token, err := uuid.NewRandom()
    if err != nil {
        panic(fmt.Sprintf("utils: failed to generate secure UUID: %v", err))
    }
    return token.String()
}

func UUID() string {
    uuidSetup.Do(func() {
        if _, err := rand.Read(uuidSeed[:]); err != nil {
            panic(fmt.Sprintf("utils: failed to seed UUID generator: %v", err))
        }
        uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])
    })
    if atomic.LoadUint64(&uuidCounter) <= 0 {
        panic("utils: UUID generator not properly seeded")
    }
    // ... generate UUID from counter
}

Detection

Applications can detect if they're affected by:

  1. Checking if they use github.com/gofiber/utils
  2. Searching for UUIDv4() and UUID() usage in security-critical code paths
  3. Reviewing Fiber middleware configurations that rely on defaults of UUIDv4() for security identifiers

References


Contact

Reported by: @sixcolors


Classification

  • OWASP: A02:2021 - Cryptographic Failures
  • Impact: Complete compromise of application security model on Go < 1.24
  • Exploitability: Medium (requires entropy failure)
  • Scope: All Fiber applications using affected middleware on Go < 1.24
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.0.0-rc.3.0.20251205210924-6c6cf047032b"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/utils/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.0.0-rc.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.1.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gofiber/utils"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-66565"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-252",
      "CWE-331",
      "CWE-338"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-08T17:57:26Z",
    "nvd_published_at": "2025-12-09T16:18:21Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\n\nCritical security vulnerabilities exist in both the `UUIDv4()` and `UUID()` functions of the `github.com/gofiber/utils` package. When the system\u0027s cryptographic random number generator (`crypto/rand`) fails, both functions silently fall back to returning predictable UUID values, the zero UUID `\"00000000-0000-0000-0000-000000000000\"`. This compromises the security of all Fiber applications using these functions for security-critical operations on **Go versions prior to 1.24**.\n\n**Both functions are vulnerable to the same root cause (`crypto/rand` failure):**\n\n* `UUIDv4()`: Indirect vulnerability through `uuid.NewRandom()` \u2192 `crypto/rand.Read()` \u2192 fallback to `UUID()`\n* `UUID()`: Direct vulnerability through `crypto/rand.Read(uuidSeed[:])` \u2192 silent zero UUID return\n\n\u003e **Note:** Go 1.24 and later panics on `crypto/rand` `Read()` failures, mitigating this vulnerability. Applications running on Go 1.24+ are not affected by the silent fallback behavior.\n\n---\n\n## Vulnerability Details\n\n### Affected Functions\n\n* **Package**: `github.com/gofiber/utils`\n* **Functions**: `UUIDv4()` and `UUID()`\n* **Return Type**: `string` (both functions)\n* **Locations**: `common.go:93-99` (UUIDv4), `common.go:60-89` (UUID)\n\n### Technical Description\n\nThe vulnerability occurs through two related but distinct failure paths, both ultimately caused by `crypto/rand.Read()` failures on Go \u003c 1.24:\n\n#### Primary Path: UUIDv4() Vulnerability\n\n1. `UUIDv4()` calls `google/uuid.NewRandom()` which internally uses `crypto/rand.Read()`\n2. If `uuid.NewRandom()` fails, `UUIDv4()` falls back to the internal `UUID()` function\n3. **No error is returned to the application** - silent security failure occurs\n\n#### Secondary Path: UUID() Vulnerability\n\n1. `UUID()` directly calls `crypto/rand.Read(uuidSeed[:])` to seed its internal state\n2. If seeding fails, `UUID()` **silently fails** and returns the zero UUID `\"00000000-0000-0000-0000-000000000000\"`\n3. Applications receive predictable UUIDs with no indication of the security failure\n\n---\n\n### Code Analysis\n\n#### UUIDv4() Vulnerability Path\n\n```go\nfunc UUIDv4() string {\n\ttoken, err := uuid.NewRandom()  // Uses crypto/rand.Read() internally\n\tif err != nil {\n\t\treturn UUID()  // Dangerous fallback - no error returned to application\n\t}\n\treturn token.String()\n}\n```\n\n#### UUID() Vulnerability Path\n\n```go\nfunc UUID() string {\n\tuuidSetup.Do(func() {\n\t\tif _, err := rand.Read(uuidSeed[:]); err != nil {  // Direct crypto/rand.Read() call\n\t\t\treturn  // Silent failure - no seeding, uuidCounter remains 0\n\t\t}\n\t\tuuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])\n\t})\n\tif atomic.LoadUint64(\u0026uuidCounter) \u003c= 0 {\n\t\treturn \"00000000-0000-0000-0000-000000000000\"  // Zero UUID returned silently\n\t}\n\t// ... generate UUID from counter\n}\n```\n\n**Root Cause:** Both vulnerabilities stem from `crypto/rand.Read()` failures, occurring through different code paths with the same dangerous silent fallback behavior.\n\n---\n\n## Security Impact\n\n### Severity: CRITICAL\n\nThis issue is especially severe because many Fiber middleware packages (session, CSRF, auth, rate-limit, request-ID, etc.) default to `utils.UUIDv4()` for generating security-sensitive identifiers. A failure in `crypto/rand` would cause **every generated identifier across the entire application** to collapse to a single predictable value (the zero UUID), resulting in:\n\n* **Session fixation / universal session hijack**\n* **CSRF token predictability and bypass**\n* **Authentication token replay**\n* **Global identifier collisions leading to severe application breakage**\n* **Potential application-wide DoS** due to every request using the same \u201cunique\u201d key, causing cache overwrites, session stomping, corrupted internal maps, and loss of isolation across all users\n\n---\n\n### Attack Scenario\n\nWhile **entropy exhaustion is extremely rare on modern Linux systems**, *RNG access failures* (e.g., restricted `/dev/random` or `/dev/urandom` access, broken container environments, sandbox restrictions, misconfigured VMs, or FIPS-mode RNG failures) are realistic. In these scenarios on **Go \u003c 1.24**, `crypto/rand` may return errors immediately \u2014 triggering the vulnerable fallback paths.\n\nOn **Go 1.24+**, `crypto/rand` `Read()` panics on failure, mitigating the silent-zero fallback issue.\n\n---\n\n### Proof of Concept\n\n1. `uuid.NewRandom()` fails (indirect `crypto/rand.Read()` failure)\n2. `UUIDv4()` calls `UUID()` as fallback with no error returned\n3. `UUID()` seeding fails directly via `crypto/rand.Read(uuidSeed[:])`\n4. Zero UUID `\"00000000-0000-0000-0000-000000000000\"` is returned silently\n5. No error is propagated to the application from either function\n\n---\n\n## Affected Versions\n\n* All versions of `github.com/gofiber/utils` containing the `UUIDv4()` or `UUID()` functions\n* Applications using Fiber middleware that depend on `UUIDv4()` or `UUID` for security\n* **Only applicable to Go \u003c 1.24**; Go 1.24+ panics/block on `crypto/rand` `Read()` failures and is not affected\n\n---\n\n## Mitigation\n\n### Immediate Workaround\n\nReplace usage of `utils.UUIDv4()` with `uuid.New()` or wait for fix:\n\n```go\nsessionID := uuid.New()\n```\n\n### Recommended Fix\n\nModify `utils.UUIDv4()` and `utils.UUID()` to fail explicitly when cryptographic randomness is unavailable:\n\n```go\nfunc UUIDv4() string {\n\ttoken, err := uuid.NewRandom()\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"utils: failed to generate secure UUID: %v\", err))\n\t}\n\treturn token.String()\n}\n\nfunc UUID() string {\n    uuidSetup.Do(func() {\n        if _, err := rand.Read(uuidSeed[:]); err != nil {\n            panic(fmt.Sprintf(\"utils: failed to seed UUID generator: %v\", err))\n        }\n        uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])\n    })\n    if atomic.LoadUint64(\u0026uuidCounter) \u003c= 0 {\n        panic(\"utils: UUID generator not properly seeded\")\n    }\n    // ... generate UUID from counter\n}\n```\n\n---\n\n## Detection\n\nApplications can detect if they\u0027re affected by:\n\n1. Checking if they use `github.com/gofiber/utils`\n2. Searching for `UUIDv4()` and `UUID()` usage in security-critical code paths\n3. Reviewing Fiber middleware configurations that rely on defaults of `UUIDv4()` for security identifiers\n\n---\n\n## References\n\n* **Package Repository**: [https://github.com/gofiber/utils](https://github.com/gofiber/utils)\n* **Fiber Framework**: [https://github.com/gofiber/fiber](https://github.com/gofiber/fiber)\n* **Google UUID Library**: [https://github.com/google/uuid](https://github.com/google/uuid)\n* Golang `crypto/rand` behavior changes: [golang/go#66821](https://github.com/golang/go/issues/66821), [Go 1.25.5 source](https://cs.opensource.google/go/go/+/refs/tags/go1.25.5:src/crypto/rand/rand.go;l=80)\n\n---\n\n## Contact\n\nReported by: [@sixcolors](https://github.com/sixcolors)\n\n---\n\n## Classification\n\n* **OWASP**: A02:2021 - Cryptographic Failures\n* **Impact**: Complete compromise of application security model on Go \u003c 1.24\n* **Exploitability**: Medium (requires entropy failure)\n* **Scope**: All Fiber applications using affected middleware on Go \u003c 1.24",
  "id": "GHSA-m98w-cqp3-qcqr",
  "modified": "2025-12-12T16:30:26Z",
  "published": "2025-12-08T17:57:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66565"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gofiber/utils"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values"
}

Mitigation
Implementation

Determine the necessary entropy to adequately provide for randomness and predictability. This can be achieved by increasing the number of bits of objects such as keys and seeds.

CAPEC-59: Session Credential Falsification through Prediction

This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.