Fiber Utils Cryptographic Randomness Vulnerability in UUID Generation Functions

A critical vulnerability exists in the Fiber Utils package, specifically in the UUIDv4() and UUID() functions, in versions 2.0.0-rc.3 and prior. When the system's cryptographic random number generator fails, these functions silently revert to returning predictable UUIDs, including the zero UUID '00000000-0000-0000-0000-000000000000'. This issue arises from failures in crypto/rand.Read(), compromising the security of Fiber applications that rely on these functions for critical operations. The vulnerability is present in all Go versions prior to 1.24, as Go 1.24 and later handle crypto/rand failures by panicking, thereby preventing the fallback to predictable UUIDs.

Impact

Exploitation of this vulnerability leads to a complete compromise of the application's security model, causing all UUIDs generated for security-sensitive operations to default to a single predictable value, the zero UUID. This results in severe consequences, including session fixation, predictable CSRF tokens, authentication token replay, global identifier collisions, and potential application-wide denial-of-service conditions.

Reproduction

The vulnerability can be reproduced by using the UUIDv4() or UUID() functions in a Fiber application running on Go versions prior to 1.24. In scenarios where the cryptographic random number generator fails, both functions will fallback to returning the zero UUID without indicating any error, thereby compromising the application's security.

Remediation

Users can replace calls to utils.UUIDv4() with uuid.New() to avoid the vulnerability. The Fiber Utils package has been updated to version 2.0.0-rc.4, which addresses this issue by making the UUID() and UUIDv4() functions fail explicitly when cryptographic randomness is unavailable.