Source: golang-github-gorilla-csrf X-Debbugs-CC: [email protected] Severity: important Tags: security
Hi, The following vulnerability was published for golang-github-gorilla-csrf. CVE-2025-47909[0]: | Hosts listed in TrustedOrigins implicitly allow requests from the | corresponding HTTP origins, allowing network MitMs to perform CSRF | attacks. After the CVE-2025-24358 fix, a network attacker that | places a form at http://example.com can't get it to submit to | https://example.com because the Origin header is checked with | sameOrigin against a synthetic URL. However, if a host is added to | TrustedOrigins, both its HTTP and HTTPS origins will be allowed, | because the schema of the synthetic URL is ignored and only the host | is checked. For example, if an application is hosted on | https://example.com and adds example.net to TrustedOrigins, a | network attacker can serve a form at http://example.net to perform | the attack. Applications should migrate to | net/http.CrossOriginProtection, introduced in Go 1.25. If that is | not an option, a backport is available as a module at | filippo.io/csrf, and a drop-in replacement for the | github.com/gorilla/csrf API is available at filippo.io/csrf/gorilla. https://github.com/golang/vulndb/issues/3884 https://github.com/advisories/GHSA-82ff-hg59-8x73 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-47909 https://www.cve.org/CVERecord?id=CVE-2025-47909 Please adjust the affected versions in the BTS as needed.
