CWE-338
AllowedUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Abstraction: Base · Status: Draft
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
293 vulnerabilities reference this CWE, most recent first.
GHSA-J85Q-WHC9-G4P9
Vulnerability from github – Published: 2021-09-02 17:07 – Updated: 2021-08-16 23:13showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "showdoc/showdoc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.9.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-3678"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-16T23:13:12Z",
"nvd_published_at": "2021-08-04T14:15:00Z",
"severity": "MODERATE"
},
"details": "showdoc is vulnerable to Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)",
"id": "GHSA-j85q-whc9-g4p9",
"modified": "2021-08-16T23:13:12Z",
"published": "2021-09-02T17:07:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3678"
},
{
"type": "WEB",
"url": "https://github.com/star7th/showdoc/commit/4b962c1740311e0d46775023b6acba39ad60e370"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/f9a9defd-29ea-4442-b692-ff1512813de4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Use of Cryptographically Weak Pseudo-Random Number Generator in showdoc"
}
GHSA-JGH6-FQF6-CPJ8
Vulnerability from github – Published: 2025-07-19 00:32 – Updated: 2025-12-03 15:30In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.
{
"affected": [],
"aliases": [
"CVE-2025-7394"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-18T23:15:23Z",
"severity": "HIGH"
},
"details": "In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report.",
"id": "GHSA-jgh6-fqf6-cpj8",
"modified": "2025-12-03T15:30:27Z",
"published": "2025-07-19T00:32:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7394"
},
{
"type": "WEB",
"url": "https://github.com/wolfSSL/wolfssl/blob/master/ChangeLog.md#wolfssl-release-582-july-17-2025"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-JGPX-VX43-89FF
Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-05-24 19:10A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator's session. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.4. PAN-OS 10.1 versions are not impacted.
{
"affected": [],
"aliases": [
"CVE-2021-3047"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-08-11T17:15:00Z",
"severity": "LOW"
},
"details": "A cryptographically weak pseudo-random number generator (PRNG) is used during authentication to the Palo Alto Networks PAN-OS web interface. This enables an authenticated attacker, with the capability to observe their own authentication secrets over a long duration on the PAN-OS appliance, to impersonate another authenticated web interface administrator\u0027s session. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.19; PAN-OS 9.0 versions earlier than PAN-OS 9.0.14; PAN-OS 9.1 versions earlier than PAN-OS 9.1.10; PAN-OS 10.0 versions earlier than PAN-OS 10.0.4. PAN-OS 10.1 versions are not impacted.",
"id": "GHSA-jgpx-vx43-89ff",
"modified": "2022-05-24T19:10:41Z",
"published": "2022-05-24T19:10:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3047"
},
{
"type": "WEB",
"url": "https://security.paloaltonetworks.com/CVE-2021-3047"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-JJ4X-QM7Q-JMM9
Vulnerability from github – Published: 2022-05-24 17:17 – Updated: 2022-05-24 17:17Some Broadcom chips mishandle Bluetooth random-number generation because a low-entropy Pseudo Random Number Generator (PRNG) is used in situations where a Hardware Random Number Generator (HRNG) should have been used to prevent spoofing. This affects, for example, Samsung Galaxy S8, S8+, and Note8 devices with the BCM4361 chipset. The Samsung ID is SVE-2020-16882 (May 2020).
{
"affected": [],
"aliases": [
"CVE-2020-6616"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-05-08T20:15:00Z",
"severity": "LOW"
},
"details": "Some Broadcom chips mishandle Bluetooth random-number generation because a low-entropy Pseudo Random Number Generator (PRNG) is used in situations where a Hardware Random Number Generator (HRNG) should have been used to prevent spoofing. This affects, for example, Samsung Galaxy S8, S8+, and Note8 devices with the BCM4361 chipset. The Samsung ID is SVE-2020-16882 (May 2020).",
"id": "GHSA-jj4x-qm7q-jmm9",
"modified": "2022-05-24T17:17:31Z",
"published": "2022-05-24T17:17:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-6616"
},
{
"type": "WEB",
"url": "https://github.com/seemoo-lab/internalblue/blob/master/doc/rng.md"
},
{
"type": "WEB",
"url": "https://media.ccc.de/v/DiVOC-6-finding_eastereggs_in_broadcom_s_bluetooth_random_number_generator"
},
{
"type": "WEB",
"url": "https://security.samsungmobile.com/securityUpdate.smsb"
},
{
"type": "WEB",
"url": "https://support.apple.com/HT211168"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211100"
},
{
"type": "WEB",
"url": "https://support.apple.com/kb/HT211168"
},
{
"type": "WEB",
"url": "https://twitter.com/naehrdine/status/1255980443368919045"
},
{
"type": "WEB",
"url": "https://twitter.com/naehrdine/status/1255981245147877377"
},
{
"type": "WEB",
"url": "http://bluetooth.lol"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2020/May/49"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-JQXQ-7F92-M7WW
Vulnerability from github – Published: 2025-03-11 00:31 – Updated: 2025-03-11 03:30Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions.
Crypt::Random::rand 1.05 through 1.55 uses the rand() function. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider.
In particular, Windows versions of perl will encounter this issue by default.
{
"affected": [],
"aliases": [
"CVE-2025-1828"
],
"database_specific": {
"cwe_ids": [
"CWE-331",
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-11T00:15:11Z",
"severity": "HIGH"
},
"details": "Crypt::Random Perl package 1.05 through 1.55 may use rand() function, which is not cryptographically strong, for cryptographic functions.\n\nCrypt::Random::rand 1.05 through 1.55 uses the rand() function. If the Provider is not specified and /dev/urandom or an Entropy Gathering Daemon (egd) service is not available Crypt::Random will default to use the insecure Crypt::Random::rand provider.\n\nIn particular, Windows versions of perl will encounter this issue by default.",
"id": "GHSA-jqxq-7f92-m7ww",
"modified": "2025-03-11T03:30:49Z",
"published": "2025-03-11T00:31:49Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-1828"
},
{
"type": "WEB",
"url": "https://github.com/perl-Crypt-OpenPGP/Crypt-Random/pull/1"
},
{
"type": "WEB",
"url": "https://github.com/perl-Crypt-OpenPGP/Crypt-Random/commit/1f8b29e9e89d8d083fd025152e76ec918136cc05"
},
{
"type": "WEB",
"url": "https://perldoc.perl.org/functions/rand"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-JW9C-3JFH-2QQ2
Vulnerability from github – Published: 2024-05-06 03:30 – Updated: 2024-07-03 18:38Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography.
{
"affected": [],
"aliases": [
"CVE-2024-34538"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-06T03:15:10Z",
"severity": "HIGH"
},
"details": "Mateso PasswordSafe through 8.13.9.26689 has Weak Cryptography.",
"id": "GHSA-jw9c-3jfh-2qq2",
"modified": "2024-07-03T18:38:59Z",
"published": "2024-05-06T03:30:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34538"
},
{
"type": "WEB",
"url": "https://hansesecure.de/2023/02/schwachstelle-in-passwordsafe-mateso"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M76J-7JH6-JXJ5
Vulnerability from github – Published: 2026-02-17 00:30 – Updated: 2026-02-17 15:31Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.
{
"affected": [],
"aliases": [
"CVE-2025-15578"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-16T22:22:40Z",
"severity": "CRITICAL"
},
"details": "Maypole versions from 2.10 through 2.13 for Perl generates session ids insecurely. The session id is seeded with the system time (which is available from HTTP response headers), a call to the built-in rand() function, and the PID.",
"id": "GHSA-m76j-7jh6-jxj5",
"modified": "2026-02-17T15:31:35Z",
"published": "2026-02-17T00:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15578"
},
{
"type": "WEB",
"url": "https://metacpan.org/dist/Maypole/source/lib/Maypole/Session.pm#L43"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M98W-CQP3-QCQR
Vulnerability from github – Published: 2025-12-08 17:57 – Updated: 2025-12-12 16:30Summary
Critical security vulnerabilities exist in both the UUIDv4() and UUID() functions of the github.com/gofiber/utils package. When the system's cryptographic random number generator (crypto/rand) fails, both functions silently fall back to returning predictable UUID values, the zero UUID "00000000-0000-0000-0000-000000000000". This compromises the security of all Fiber applications using these functions for security-critical operations on Go versions prior to 1.24.
Both functions are vulnerable to the same root cause (crypto/rand failure):
UUIDv4(): Indirect vulnerability throughuuid.NewRandom()→crypto/rand.Read()→ fallback toUUID()UUID(): Direct vulnerability throughcrypto/rand.Read(uuidSeed[:])→ silent zero UUID return
Note: Go 1.24 and later panics on
crypto/randRead()failures, mitigating this vulnerability. Applications running on Go 1.24+ are not affected by the silent fallback behavior.
Vulnerability Details
Affected Functions
- Package:
github.com/gofiber/utils - Functions:
UUIDv4()andUUID() - Return Type:
string(both functions) - Locations:
common.go:93-99(UUIDv4),common.go:60-89(UUID)
Technical Description
The vulnerability occurs through two related but distinct failure paths, both ultimately caused by crypto/rand.Read() failures on Go < 1.24:
Primary Path: UUIDv4() Vulnerability
UUIDv4()callsgoogle/uuid.NewRandom()which internally usescrypto/rand.Read()- If
uuid.NewRandom()fails,UUIDv4()falls back to the internalUUID()function - No error is returned to the application - silent security failure occurs
Secondary Path: UUID() Vulnerability
UUID()directly callscrypto/rand.Read(uuidSeed[:])to seed its internal state- If seeding fails,
UUID()silently fails and returns the zero UUID"00000000-0000-0000-0000-000000000000" - Applications receive predictable UUIDs with no indication of the security failure
Code Analysis
UUIDv4() Vulnerability Path
func UUIDv4() string {
token, err := uuid.NewRandom() // Uses crypto/rand.Read() internally
if err != nil {
return UUID() // Dangerous fallback - no error returned to application
}
return token.String()
}
UUID() Vulnerability Path
func UUID() string {
uuidSetup.Do(func() {
if _, err := rand.Read(uuidSeed[:]); err != nil { // Direct crypto/rand.Read() call
return // Silent failure - no seeding, uuidCounter remains 0
}
uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])
})
if atomic.LoadUint64(&uuidCounter) <= 0 {
return "00000000-0000-0000-0000-000000000000" // Zero UUID returned silently
}
// ... generate UUID from counter
}
Root Cause: Both vulnerabilities stem from crypto/rand.Read() failures, occurring through different code paths with the same dangerous silent fallback behavior.
Security Impact
Severity: CRITICAL
This issue is especially severe because many Fiber middleware packages (session, CSRF, auth, rate-limit, request-ID, etc.) default to utils.UUIDv4() for generating security-sensitive identifiers. A failure in crypto/rand would cause every generated identifier across the entire application to collapse to a single predictable value (the zero UUID), resulting in:
- Session fixation / universal session hijack
- CSRF token predictability and bypass
- Authentication token replay
- Global identifier collisions leading to severe application breakage
- Potential application-wide DoS due to every request using the same “unique” key, causing cache overwrites, session stomping, corrupted internal maps, and loss of isolation across all users
Attack Scenario
While entropy exhaustion is extremely rare on modern Linux systems, RNG access failures (e.g., restricted /dev/random or /dev/urandom access, broken container environments, sandbox restrictions, misconfigured VMs, or FIPS-mode RNG failures) are realistic. In these scenarios on Go < 1.24, crypto/rand may return errors immediately — triggering the vulnerable fallback paths.
On Go 1.24+, crypto/rand Read() panics on failure, mitigating the silent-zero fallback issue.
Proof of Concept
uuid.NewRandom()fails (indirectcrypto/rand.Read()failure)UUIDv4()callsUUID()as fallback with no error returnedUUID()seeding fails directly viacrypto/rand.Read(uuidSeed[:])- Zero UUID
"00000000-0000-0000-0000-000000000000"is returned silently - No error is propagated to the application from either function
Affected Versions
- All versions of
github.com/gofiber/utilscontaining theUUIDv4()orUUID()functions - Applications using Fiber middleware that depend on
UUIDv4()orUUIDfor security - Only applicable to Go < 1.24; Go 1.24+ panics/block on
crypto/randRead()failures and is not affected
Mitigation
Immediate Workaround
Replace usage of utils.UUIDv4() with uuid.New() or wait for fix:
sessionID := uuid.New()
Recommended Fix
Modify utils.UUIDv4() and utils.UUID() to fail explicitly when cryptographic randomness is unavailable:
func UUIDv4() string {
token, err := uuid.NewRandom()
if err != nil {
panic(fmt.Sprintf("utils: failed to generate secure UUID: %v", err))
}
return token.String()
}
func UUID() string {
uuidSetup.Do(func() {
if _, err := rand.Read(uuidSeed[:]); err != nil {
panic(fmt.Sprintf("utils: failed to seed UUID generator: %v", err))
}
uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])
})
if atomic.LoadUint64(&uuidCounter) <= 0 {
panic("utils: UUID generator not properly seeded")
}
// ... generate UUID from counter
}
Detection
Applications can detect if they're affected by:
- Checking if they use
github.com/gofiber/utils - Searching for
UUIDv4()andUUID()usage in security-critical code paths - Reviewing Fiber middleware configurations that rely on defaults of
UUIDv4()for security identifiers
References
- Package Repository: https://github.com/gofiber/utils
- Fiber Framework: https://github.com/gofiber/fiber
- Google UUID Library: https://github.com/google/uuid
- Golang
crypto/randbehavior changes: golang/go#66821, Go 1.25.5 source
Contact
Reported by: @sixcolors
Classification
- OWASP: A02:2021 - Cryptographic Failures
- Impact: Complete compromise of application security model on Go < 1.24
- Exploitability: Medium (requires entropy failure)
- Scope: All Fiber applications using affected middleware on Go < 1.24
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.0.0-rc.3.0.20251205210924-6c6cf047032b"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gofiber/utils/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.0-rc.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.1.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/gofiber/utils"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66565"
],
"database_specific": {
"cwe_ids": [
"CWE-252",
"CWE-331",
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-08T17:57:26Z",
"nvd_published_at": "2025-12-09T16:18:21Z",
"severity": "CRITICAL"
},
"details": "## Summary\n\nCritical security vulnerabilities exist in both the `UUIDv4()` and `UUID()` functions of the `github.com/gofiber/utils` package. When the system\u0027s cryptographic random number generator (`crypto/rand`) fails, both functions silently fall back to returning predictable UUID values, the zero UUID `\"00000000-0000-0000-0000-000000000000\"`. This compromises the security of all Fiber applications using these functions for security-critical operations on **Go versions prior to 1.24**.\n\n**Both functions are vulnerable to the same root cause (`crypto/rand` failure):**\n\n* `UUIDv4()`: Indirect vulnerability through `uuid.NewRandom()` \u2192 `crypto/rand.Read()` \u2192 fallback to `UUID()`\n* `UUID()`: Direct vulnerability through `crypto/rand.Read(uuidSeed[:])` \u2192 silent zero UUID return\n\n\u003e **Note:** Go 1.24 and later panics on `crypto/rand` `Read()` failures, mitigating this vulnerability. Applications running on Go 1.24+ are not affected by the silent fallback behavior.\n\n---\n\n## Vulnerability Details\n\n### Affected Functions\n\n* **Package**: `github.com/gofiber/utils`\n* **Functions**: `UUIDv4()` and `UUID()`\n* **Return Type**: `string` (both functions)\n* **Locations**: `common.go:93-99` (UUIDv4), `common.go:60-89` (UUID)\n\n### Technical Description\n\nThe vulnerability occurs through two related but distinct failure paths, both ultimately caused by `crypto/rand.Read()` failures on Go \u003c 1.24:\n\n#### Primary Path: UUIDv4() Vulnerability\n\n1. `UUIDv4()` calls `google/uuid.NewRandom()` which internally uses `crypto/rand.Read()`\n2. If `uuid.NewRandom()` fails, `UUIDv4()` falls back to the internal `UUID()` function\n3. **No error is returned to the application** - silent security failure occurs\n\n#### Secondary Path: UUID() Vulnerability\n\n1. `UUID()` directly calls `crypto/rand.Read(uuidSeed[:])` to seed its internal state\n2. If seeding fails, `UUID()` **silently fails** and returns the zero UUID `\"00000000-0000-0000-0000-000000000000\"`\n3. Applications receive predictable UUIDs with no indication of the security failure\n\n---\n\n### Code Analysis\n\n#### UUIDv4() Vulnerability Path\n\n```go\nfunc UUIDv4() string {\n\ttoken, err := uuid.NewRandom() // Uses crypto/rand.Read() internally\n\tif err != nil {\n\t\treturn UUID() // Dangerous fallback - no error returned to application\n\t}\n\treturn token.String()\n}\n```\n\n#### UUID() Vulnerability Path\n\n```go\nfunc UUID() string {\n\tuuidSetup.Do(func() {\n\t\tif _, err := rand.Read(uuidSeed[:]); err != nil { // Direct crypto/rand.Read() call\n\t\t\treturn // Silent failure - no seeding, uuidCounter remains 0\n\t\t}\n\t\tuuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])\n\t})\n\tif atomic.LoadUint64(\u0026uuidCounter) \u003c= 0 {\n\t\treturn \"00000000-0000-0000-0000-000000000000\" // Zero UUID returned silently\n\t}\n\t// ... generate UUID from counter\n}\n```\n\n**Root Cause:** Both vulnerabilities stem from `crypto/rand.Read()` failures, occurring through different code paths with the same dangerous silent fallback behavior.\n\n---\n\n## Security Impact\n\n### Severity: CRITICAL\n\nThis issue is especially severe because many Fiber middleware packages (session, CSRF, auth, rate-limit, request-ID, etc.) default to `utils.UUIDv4()` for generating security-sensitive identifiers. A failure in `crypto/rand` would cause **every generated identifier across the entire application** to collapse to a single predictable value (the zero UUID), resulting in:\n\n* **Session fixation / universal session hijack**\n* **CSRF token predictability and bypass**\n* **Authentication token replay**\n* **Global identifier collisions leading to severe application breakage**\n* **Potential application-wide DoS** due to every request using the same \u201cunique\u201d key, causing cache overwrites, session stomping, corrupted internal maps, and loss of isolation across all users\n\n---\n\n### Attack Scenario\n\nWhile **entropy exhaustion is extremely rare on modern Linux systems**, *RNG access failures* (e.g., restricted `/dev/random` or `/dev/urandom` access, broken container environments, sandbox restrictions, misconfigured VMs, or FIPS-mode RNG failures) are realistic. In these scenarios on **Go \u003c 1.24**, `crypto/rand` may return errors immediately \u2014 triggering the vulnerable fallback paths.\n\nOn **Go 1.24+**, `crypto/rand` `Read()` panics on failure, mitigating the silent-zero fallback issue.\n\n---\n\n### Proof of Concept\n\n1. `uuid.NewRandom()` fails (indirect `crypto/rand.Read()` failure)\n2. `UUIDv4()` calls `UUID()` as fallback with no error returned\n3. `UUID()` seeding fails directly via `crypto/rand.Read(uuidSeed[:])`\n4. Zero UUID `\"00000000-0000-0000-0000-000000000000\"` is returned silently\n5. No error is propagated to the application from either function\n\n---\n\n## Affected Versions\n\n* All versions of `github.com/gofiber/utils` containing the `UUIDv4()` or `UUID()` functions\n* Applications using Fiber middleware that depend on `UUIDv4()` or `UUID` for security\n* **Only applicable to Go \u003c 1.24**; Go 1.24+ panics/block on `crypto/rand` `Read()` failures and is not affected\n\n---\n\n## Mitigation\n\n### Immediate Workaround\n\nReplace usage of `utils.UUIDv4()` with `uuid.New()` or wait for fix:\n\n```go\nsessionID := uuid.New()\n```\n\n### Recommended Fix\n\nModify `utils.UUIDv4()` and `utils.UUID()` to fail explicitly when cryptographic randomness is unavailable:\n\n```go\nfunc UUIDv4() string {\n\ttoken, err := uuid.NewRandom()\n\tif err != nil {\n\t\tpanic(fmt.Sprintf(\"utils: failed to generate secure UUID: %v\", err))\n\t}\n\treturn token.String()\n}\n\nfunc UUID() string {\n uuidSetup.Do(func() {\n if _, err := rand.Read(uuidSeed[:]); err != nil {\n panic(fmt.Sprintf(\"utils: failed to seed UUID generator: %v\", err))\n }\n uuidCounter = binary.LittleEndian.Uint64(uuidSeed[:8])\n })\n if atomic.LoadUint64(\u0026uuidCounter) \u003c= 0 {\n panic(\"utils: UUID generator not properly seeded\")\n }\n // ... generate UUID from counter\n}\n```\n\n---\n\n## Detection\n\nApplications can detect if they\u0027re affected by:\n\n1. Checking if they use `github.com/gofiber/utils`\n2. Searching for `UUIDv4()` and `UUID()` usage in security-critical code paths\n3. Reviewing Fiber middleware configurations that rely on defaults of `UUIDv4()` for security identifiers\n\n---\n\n## References\n\n* **Package Repository**: [https://github.com/gofiber/utils](https://github.com/gofiber/utils)\n* **Fiber Framework**: [https://github.com/gofiber/fiber](https://github.com/gofiber/fiber)\n* **Google UUID Library**: [https://github.com/google/uuid](https://github.com/google/uuid)\n* Golang `crypto/rand` behavior changes: [golang/go#66821](https://github.com/golang/go/issues/66821), [Go 1.25.5 source](https://cs.opensource.google/go/go/+/refs/tags/go1.25.5:src/crypto/rand/rand.go;l=80)\n\n---\n\n## Contact\n\nReported by: [@sixcolors](https://github.com/sixcolors)\n\n---\n\n## Classification\n\n* **OWASP**: A02:2021 - Cryptographic Failures\n* **Impact**: Complete compromise of application security model on Go \u003c 1.24\n* **Exploitability**: Medium (requires entropy failure)\n* **Scope**: All Fiber applications using affected middleware on Go \u003c 1.24",
"id": "GHSA-m98w-cqp3-qcqr",
"modified": "2025-12-12T16:30:26Z",
"published": "2025-12-08T17:57:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gofiber/utils/security/advisories/GHSA-m98w-cqp3-qcqr"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66565"
},
{
"type": "WEB",
"url": "https://github.com/gofiber/utils/commit/6c6cf047032b9c8dff43d29f990b4b10e9b02d47"
},
{
"type": "PACKAGE",
"url": "https://github.com/gofiber/utils"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Fiber Utils UUIDv4 and UUID Silent Fallback to Predictable Values"
}
GHSA-M9M5-CG5H-R582
Vulnerability from github – Published: 2021-08-25 20:50 – Updated: 2023-06-13 20:01In versions of nanorand prior to 0.5.1, RandomGen implementations for standard unsigned integers could fail to properly generate numbers, due to using bit-shifting to truncate a 64-bit number, rather than just an as conversion. This often manifested as RNGs returning nothing but 0, including the cryptographically secure ChaCha random number generator.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "nanorand"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-35926"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2021-08-19T18:55:41Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In versions of nanorand prior to 0.5.1, RandomGen implementations for standard unsigned integers could fail to properly generate numbers, due to using bit-shifting to truncate a 64-bit number, rather than just an as conversion. This often manifested as RNGs returning nothing but 0, including the cryptographically secure ChaCha random number generator.",
"id": "GHSA-m9m5-cg5h-r582",
"modified": "2023-06-13T20:01:40Z",
"published": "2021-08-25T20:50:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35926"
},
{
"type": "WEB",
"url": "https://github.com/Absolucy/nanorand-rs/commit/5ba218ac29df4786b002d7d12b47fa0c04a331f2"
},
{
"type": "PACKAGE",
"url": "https://github.com/Absolucy/nanorand-rs"
},
{
"type": "WEB",
"url": "https://rustsec.org/advisories/RUSTSEC-2020-0089.html"
},
{
"type": "WEB",
"url": "https://twitter.com/aspenluxxxy/status/1336684692284772352"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Improper random number generation in nanorand"
}
GHSA-MHHF-VGWH-FW9H
Vulnerability from github – Published: 2022-12-06 21:13 – Updated: 2024-10-09 20:09Impact
Everyone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the password(s) being easily able to be guessed with Passeo's use of the random library. It is recommended to change any passwords made with Passeo before v1.0.5 and upgrade to v1.0.5, and v1.0.5 patches this with the secrets library.
Workarounds
No current workaround available than updating to v1.0.5.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "passeo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-23472"
],
"database_specific": {
"cwe_ids": [
"CWE-338"
],
"github_reviewed": true,
"github_reviewed_at": "2022-12-06T21:13:32Z",
"nvd_published_at": "2022-12-06T18:15:00Z",
"severity": "HIGH"
},
"details": "### Impact\nEveryone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the password(s) being easily able to be guessed with Passeo\u0027s use of the ``random`` library. It is recommended to change any passwords made with Passeo before v1.0.5 and upgrade to v1.0.5, and v1.0.5 patches this with the ``secrets`` library.\n\n### Workarounds\nNo current workaround available than updating to v1.0.5.\n",
"id": "GHSA-mhhf-vgwh-fw9h",
"modified": "2024-10-09T20:09:02Z",
"published": "2022-12-06T21:13:32Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9h"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23472"
},
{
"type": "WEB",
"url": "https://github.com/ArjunSharda/Passeo/commit/8caa798b6bc4647dca59b2376204b6dc6176361a"
},
{
"type": "PACKAGE",
"url": "https://github.com/ArjunSharda/Passeo"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/passeo/PYSEC-2022-42997.yaml"
},
{
"type": "WEB",
"url": "https://peps.python.org/pep-0506"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Passeo uses insecure random number generator"
}
Mitigation
Use functions or hardware which use a hardware-based random number generation for all crypto. This is the recommended solution. Use CyptGenRandom on Windows, or hw_rand() on Linux.
No CAPEC attack patterns related to this CWE.