Vulnerability Details : CVE-2025-24358
gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice. This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain. This vulnerability is fixed in 1.7.2.
Vulnerability category: Cross site scripting (XSS)Cross-site request forgery (CSRF)
Products affected by CVE-2025-24358
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2025-24358
0.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 1 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2025-24358
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.4
|
MEDIUM | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/V... |
N/A
|
N/A
|
GitHub, Inc. | 2025-04-15 |
5.4
|
MEDIUM | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/V... |
N/A
|
N/A
|
GitHub, Inc. | 2025-04-15 |
CWE ids for CVE-2025-24358
-
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.Assigned by:
- a0819718-46f1-4df5-94e2-005712e83aaa (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2025-24358
-
https://github.com/gorilla/csrf/security/advisories/GHSA-rq77-p4h8-4crw
-
https://lists.debian.org/debian-lts-announce/2025/05/msg00002.html
[SECURITY] [DLA 4151-1] golang-github-gorilla-csrf security update
-
https://github.com/gorilla/csrf/commit/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb
Jump to