Gofiber Fiber Web Framework UUID Generation Vulnerability on Go Versions Prior to 1.24

A vulnerability exists in the Gofiber Fiber web framework, specifically in versions prior to 2.52.11, when used with Go versions prior to 1.24. The issue arises because the underlying crypto/rand implementation can fail to provide secure randomness, leading Fiber's UUID functions to silently generate predictable, low-entropy identifiers. This flaw can have serious implications in security-sensitive areas, as many of Fiber's middleware components rely on these UUIDs for critical functions such as session management, CSRF protection, and rate limiting.

Impact

Exploitation of this vulnerability can lead to the generation of predictable or zero UUIDs, causing session fixation or hijacking, CSRF token forgery, authentication replay, and potential denial-of-service conditions by collapsing key-based structures into a single shared key. Additionally, it can create request-ID collisions, disrupting logging and trace integrity.

Remediation

Users are advised to update to Gofiber Fiber version 2.52.11 or later.