ghsa-rq77-p4h8-4crw
Vulnerability from github
Published
2025-04-14 15:26
Modified
2025-05-01 12:31
Severity ?
5.4 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
Summary
gorilla/csrf CSRF vulnerability due to broken Referer validation
Details

Summary

gorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin.

Details

gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice. // URL specifies either the URI being requested (for server // requests) or the URL to access (for client requests). // // For server requests, the URL is parsed from the URI // supplied on the Request-Line as stored in RequestURI. For // most requests, fields other than Path and RawQuery will be // empty. (See [RFC 7230, Section 5.3](https://rfc-editor.org/rfc/rfc7230.html#section-5.3)) // // For client requests, the URL's Host specifies the server to // connect to, while the Request's Host field optionally // specifies the Host header value to send in the HTTP // request. URL *[url](https://pkg.go.dev/net/url).[URL](https://pkg.go.dev/net/url#URL)

PoC

  • create trusted origin target.example.test protected with gorilla/csrf and served over TLS hosting form on /submit
  • create attacker origin attack.example.test served over TLS
  • attacker exfiltrates token & cookie combination from target.example.test
  • attacker sets exfiltrated cookie with domain=.example.test and path=/submit
  • as the cookie has a more specific path than / (the default for CSRF cookies) it will be sent first by the browser on submit to our target origin
  • submit form from attack.example.test with exfiltrated CSRF form token
  • observe valid form submission as attack.example.test Origin / Referer headers are not validated.

Impact

This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain.

This bug has existed in gorilla/csrf since its initial release in 2015.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gorilla/csrf"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.7.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-24358"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-14T15:26:07Z",
    "nvd_published_at": "2025-04-15T19:16:07Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\ngorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin.\n\n### Details\n\ngorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the `r.URL.Scheme` value. However, this value is never populated for \"server\" requests [per the Go spec](https://pkg.go.dev/net/http#Request), and so this check does not run in practice. \n```\n\t// URL specifies either the URI being requested (for server\n\t// requests) or the URL to access (for client requests).\n\t//\n\t// For server requests, the URL is parsed from the URI\n\t// supplied on the Request-Line as stored in RequestURI.  For\n\t// most requests, fields other than Path and RawQuery will be\n\t// empty. (See [RFC 7230, Section 5.3](https://rfc-editor.org/rfc/rfc7230.html#section-5.3))\n\t//\n\t// For client requests, the URL\u0027s Host specifies the server to\n\t// connect to, while the Request\u0027s Host field optionally\n\t// specifies the Host header value to send in the HTTP\n\t// request.\n\tURL *[url](https://pkg.go.dev/net/url).[URL](https://pkg.go.dev/net/url#URL)\n```\n\n### PoC\n\n- create trusted origin `target.example.test` protected with gorilla/csrf and served over TLS hosting form on `/submit`\n- create attacker origin `attack.example.test` served over TLS\n- attacker exfiltrates token \u0026 cookie combination from `target.example.test` \n- attacker sets exfiltrated cookie with `domain=.example.test and path=/submit`\n  - as the cookie has a more specific path than `/` (the default for CSRF cookies) it will be sent first by the browser on submit to our target origin\n- submit form from `attack.example.test` with exfiltrated CSRF form token\n- observe valid form submission as `attack.example.test` Origin / Referer headers are not validated. \n\n### Impact\n\nThis vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain.\n\nThis bug has existed in gorilla/csrf since its initial release in 2015.",
  "id": "GHSA-rq77-p4h8-4crw",
  "modified": "2025-05-01T12:31:16Z",
  "published": "2025-04-14T15:26:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gorilla/csrf/security/advisories/GHSA-rq77-p4h8-4crw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24358"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gorilla/csrf/commit/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gorilla/csrf"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00002.html"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3607"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "gorilla/csrf CSRF vulnerability due to broken Referer validation"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.