fix(deps): update module github.com/gofiber/fiber/v2 to v2.52.11 [security]#56
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
fix(deps): update module github.com/gofiber/fiber/v2 to v2.52.11 [security]#56renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v2.52.10→v2.52.11GitHub Vulnerability Alerts
CVE-2025-66630
Fiber v2 contains an internal vendored copy of
gofiber/utils, and its functionsUUIDv4()andUUID()inherit the same critical weakness described in the upstream advisory. On Go versions prior to 1.24, the underlyingcrypto/randimplementation can return an error if secure randomness cannot be obtained. In such cases, these Fiber v2 UUID functions silently fall back to generating predictable values — the all-zero UUID00000000-0000-0000-0000-000000000000.On Go 1.24+, the language guarantees that
crypto/randno longer returns an error (it will block or panic instead), so this vulnerability primarily affects Fiber v2 users running Go 1.23 or earlier, which Fiber v2 officially supports.Because no error is returned by the Fiber v2 UUID functions, application code may unknowingly rely on predictable, repeated, or low-entropy identifiers in security-critical pathways. This is especially impactful because many Fiber v2 middleware components (session middleware, CSRF, rate limiting, request-ID generation, etc.) default to using
utils.UUIDv4().Impact includes, but is not limited to:
All Fiber v2 versions containing the internal
utils.UUIDv4()/utils.UUID()implementation are affected when running on Go <1.24. No patched Fiber v2 release currently exists.Suggested Mitigations / Workarounds
Update to the latest version of Fiber v2.
Likelihood / Environmental Factors
It’s important to note that entropy exhaustion on modern Linux systems is extremely rare, as the kernel’s CSPRNG is resilient and non-blocking. However, entropy-source failures — where
crypto/randcannot read from its underlying provider — are significantly more likely in certain environments.This includes containerized deployments, restricted sandboxes, misconfigured systems lacking read access to
/dev/urandomor platform-equivalent sources, chrooted or jailed environments, embedded devices, or systems with non-standard or degraded randomness providers. On Go <1.24, such failures causecrypto/randto return an error, which the Fiber v2 UUID functions currently treat as a signal to silently generate predictable UUIDs, including the zero UUID. This silent fallback is the root cause of the vulnerability.References
Upstream advisory for
gofiber/utils: GHSA-m98w-cqp3-qcqrSource repositories:
github.com/gofiber/fibergithub.com/gofiber/utilsCredits / Reporter
Reported by @sixcolors (Fiber Maintainer / Security Team)
Release Notes
gofiber/fiber (github.com/gofiber/fiber/v2)
v2.52.11Compare Source
What's Changed
🧹 Updates
🐛 Bug Fixes
Full Changelog: gofiber/fiber@v2.52.10...v2.52.11
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.