How to fix CVE-2025-66630?

Within 24 hours: Inventory all systems running Fiber framework and identify Go versions in use; prioritize applications handling authentication or sensitive sessions. Within 7 days: Upgrade Fiber to version 2.52.11 or later and upgrade Go to version 1.24 or later on all affected systems; test thoroughly in staging before production deployment. Within 30 days: Conduct security audit of authentication tokens and sessions generated during the vulnerable period; consider forced re-authentication for critical user accounts; implement monitoring for anomalous session activity.

Is Golang affected by CVE-2025-66630?

Fiber web framework versions prior to 2.52.11 running on Go versions before 1.24 face a critical vulnerability where cryptographic randomness failures could be exploited to compromise session security and authentication mechanisms.

CVE-2025-66630

CRITICAL

2026-02-09 [email protected]

GHSA-68rr-p4fp-j59v

9.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch Released

Feb 28, 2026 - 00:26 nvd

Patch available

CVE Published

Feb 09, 2026 - 18:16 nvd

CRITICAL 9.4

Description

Fiber is an Express inspired web framework written in Go. Before 2.52.11, on Go versions prior to 1.24, the underlying crypto/rand implementation can return an error if secure randomness cannot be obtained. Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using utils.UUIDv4(). This vulnerability is fixed in 2.52.11.

Analysis

Go Fiber web framework before 2.52.11 has a weak PRNG vulnerability (on Go < 1.24) that makes session tokens predictable, enabling session hijacking.

Technical Context

Fiber < 2.52.11 uses a CWE-338 cryptographically weak PRNG for session token generation on Go versions prior to 1.24, making tokens predictable.

Affected Products

['Go Fiber < 2.52.11 (on Go < 1.24)']

Remediation

Update Fiber to 2.52.11+ or use Go 1.24+.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +47

POC: 0

Vendor Status

CVE-2025-66630 vulnerability details – vuln.today

Back

CVE-2025-66630

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

CVE-2025-66630

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Share

External POC / Exploit Code