CVE-2025-47909
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-08-29
Assigner: Go Project
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| golang | gorilla_csrf | From 1.25.0 (inc) to 1.25.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-47909 is a vulnerability in the Go package github.com/gorilla/csrf related to how TrustedOrigins are handled. TrustedOrigins is a list of hosts that are implicitly trusted for cross-origin requests. The flaw is that TrustedOrigins ignores the scheme (HTTP or HTTPS) and only checks the host. This means that if a host is trusted, both its HTTP and HTTPS origins are trusted. An attacker performing a man-in-the-middle (MitM) attack can exploit this by serving a malicious form from an HTTP origin that matches a trusted host, enabling Cross-Site Request Forgery (CSRF) attacks. This bypasses protections added in a previous fix (CVE-2025-24358) that checked the Origin header with sameOrigin policy against a synthetic URL including the scheme. The vulnerability allows attackers to trick applications into accepting malicious requests from HTTP origins that should not be trusted. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow network attackers performing man-in-the-middle (MitM) attacks to execute Cross-Site Request Forgery (CSRF) attacks against applications using the vulnerable github.com/gorilla/csrf package. By exploiting the TrustedOrigins flaw, attackers can serve malicious forms from HTTP origins that are implicitly trusted, causing the application to accept unauthorized or malicious requests. This can lead to unauthorized actions being performed on behalf of legitimate users, potentially compromising user data, session integrity, and application security. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper handling of TrustedOrigins in the github.com/gorilla/csrf package, allowing HTTP origins to be trusted if their host is listed. Detection involves checking your application's configuration for usage of TrustedOrigins and verifying if any hosts are listed that could allow HTTP origins. You can inspect your application's source code or configuration files for the TrustedOrigins list. Additionally, monitoring HTTP requests for suspicious Origin headers from HTTP schemes matching TrustedOrigins hosts may help detect exploitation attempts. Specific commands depend on your environment, but for example, you can grep your codebase for 'TrustedOrigins' or check runtime configurations. Example command: grep -r TrustedOrigins /path/to/your/app [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include migrating your application to use net/http.CrossOriginProtection introduced in Go 1.25, which properly handles origin checks. If migration is not possible, use the backported module available at filippo.io/csrf, which provides a drop-in replacement for the github.com/gorilla/csrf API and corrects the TrustedOrigins handling. Additionally, review and minimize the hosts listed in TrustedOrigins to avoid including untrusted hosts, especially those accessible via HTTP. Avoid relying on TrustedOrigins until the vulnerability is addressed. [1, 2]