What is the CVSS score of CVE-2025-66630?

CVE-2025-66630 has a CVSS 3.1 base score of 9.4 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L. EPSS exploitation probability: 0.0%.

Which versions of Golang are affected by CVE-2025-66630?

Fiber web framework versions prior to 2.52.11 running on Go versions before 1.24 face a critical vulnerability where cryptographic randomness failures could be exploited to compromise session…. A patch is available.

How to fix or mitigate CVE-2025-66630?

Within 24 hours: Inventory all systems running Fiber framework and identify Go versions in use; prioritize applications handling authentication or sensitive sessions. Within 7 days: Upgrade Fiber to version 2.52.11 or later and upgrade Go to version 1.24 or later on all affected systems; test thoroughly in staging before production deployment. Within 30 days: Conduct security audit of authentication tokens and sessions generated during the vulnerable period; consider forced re-authentication for critical user accounts; implement monitoring for anomalous session activity.

Golang CVE-2025-66630

CRITICAL

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)

2026-02-09 security-advisories@github.com

GHSA-68rr-p4fp-j59v

CSRF Golang Red Hat Fiber Suse

9.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Feb 28, 2026 - 00:26 nvd

Patch available

CVE Published

Feb 09, 2026 - 18:16 nvd

CRITICAL 9.4

DescriptionNVD

Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.