diff --git a/src/engine/guid/guid.c b/src/engine/guid/guid.c
index 657665cc22..1759b73fd8 100644
--- a/src/engine/guid/guid.c
+++ b/src/engine/guid/guid.c
@@ -434,11 +434,12 @@ decode_md5_string(const char *string, unsigned char *data)
 const char *
 guid_to_string(const GUID * guid)
 {
-  static char string[33];
+  char *string = malloc(GUID_ENCODING_LENGTH+1);
+  if (!string) return NULL;
 
   encode_md5_data(guid->data, string);
 
-  string[32] = '\0';
+  string[GUID_ENCODING_LENGTH] = '\0';
 
   return string;
 }
diff --git a/src/engine/guid/guid.h b/src/engine/guid/guid.h
index 8aabff9627..93458d9299 100644
--- a/src/engine/guid/guid.h
+++ b/src/engine/guid/guid.h
@@ -70,10 +70,9 @@ void guid_new(GUID *guid);
 /* Return a null-terminated string encoding of the id. String
  * encodings of identifiers are hex numbers printed only with the
  * characters '0' through '9' and 'a' through 'f'. The encoding will
- * always be 32 characters long. The returned string should not be
- * modified. A subsequent call to guid_to_string() will overwrite
- * the result of a previous call.  hack alert -- this means that
- * this routine is *not* thread safe! ... needs fixing. */
+ * always be 32 characters long. The returned string should be
+ * freed when no longer needed.
+ */
 const char * guid_to_string(const GUID * guid);