x/vulndb: unacknowledged Go vuln in github.com/gorilla/csrf (90d deadline expired)

[FiloSottile]

Acknowledgement

• The maintainer(s) of the affected project have already been made aware of this vulnerability.

Description

Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks.

After the CVE-2025-24358 (GHSA-rq77-p4h8-4crw) fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin header is checked with sameOrigin against a synthetic URL composed of https Schema (unless PlaintextHTTPRequest is used) and Host header as Host. All modern browsers send the Origin header.

However, if a host is added to TrustedOrigins (which is unfortunately a list of hosts, not origins), then both its HTTP and HTTPS origins will be allowed, because the Schema of the synthetic URL is ignored, and only the Host is checked.

Concretely, if an application is hosted on https://example.com and adds example.net to TrustedOrigins, then a network attacker can serve a form at http://example.net to perform the attack.

Note that this includes any hosts added to TrustedOrigins to work around breakages caused by the CVE-2025-24358 fix in v1.7.3.

Applications should migrate to net/http.CrossOriginProtection, introduced in Go 1.25. If that is not an option, a backport is available as a module at filippo.io/csrf, and a drop-in replacement for the github.com/gorilla/csrf API is available at filippo.io/csrf/gorilla.

Affected Modules, Packages, Versions and Symbols

Module: github.com/gorilla/csrf
Package: github.com/gorilla/csrf
Versions:
  - Introduced: 1.7.3
Symbols:
  - TrustedOrigins

CVE/GHSA ID

GHSA-rm6j-cg4g-v2xx

Fix Commit or Pull Request

No response

References

No response

Additional information

This vulnerability is unfixed, and is being disclosed following a customary 90 days delay.

This was reported to the project via GitHub as GHSA-rm6j-cg4g-v2xx on April 18th, 2025, following the project's security policy. An unsuccessful attempt was made to contact a maintainer directly via Slack on April 24th. The project was notified on July 3rd of the intention to make the report public after a customary 90 days deadline (expired on July 17th). The project never responded to or acknowledged the report.

There doesn’t seem to be a way to unilaterally make a GHSA public. Please issue a CVE.

[gopherbot]

Change https://go.dev/cl/696176 mentions this issue: data/reports: Add GO-2025-3884

[gopherbot]

Change https://go.dev/cl/699495 mentions this issue: data/reports: add 4 REVIEWED reports

[rawmet1989]

Quick question how do I know if I got coins or any other depositories or funds that I can get by coding or something? I just don’t know how to do any of that. Can you please let me know thank you.