github.com/gorilla/csrf improperly validates TrustedOrigins allowing CSRF attacks

Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin...

PT-2025-35244

Name of the Vulnerable Software and Affected Versions: Go affected versions not specified Description: Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, potentially enabling network attackers to perform Cross-Site Request Forgery CSRF attacks. Following...

Debian: Security Advisory (DLA-4151-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian dla-4151 : golang-github-gorilla-csrf-dev - security update

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-4151 advisory. - -------------------------------------------------------------------------- Debian LTS Advisory DLA-4151-1 [email protected] https://www.debian.org/lts/security...

GO-2025-3607 gorilla/csrf CSRF vulnerability due to broken Referer validation in github.com/gorilla/csrf

gorilla/csrf CSRF vulnerability due to broken Referer validation in github.com/gorilla/csrf...

Cross-Site Request Forgery (CSRF)

github.com/gorilla/csrf is vulnerable to Cross Site Request Forgery CSRF. The vulnerability is due to improper origin validation caused by relying on the r.URL.Scheme field to detect TLS, which is not set for server requests, allowing an attacker with XSS on a related domain to perform...

SUSE CVE-2025-24358

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

DEBIAN-CVE-2025-24358

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

UBUNTU-CVE-2025-24358

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

CVE-2025-24358 gorilla/csrf CSRF vulnerability due to broken Referer validation

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

CVE-2025-24358

The CVE-2025-24358 issue affects gorilla/csrf across Go web apps, where prior to 1.7.2 the Origin header wasn’t validated against an allowlist and Referer checks were gated by a TLS-detection that misbehaves for server requests. Attackers with XSS on a subdomain/top‑level domain could submit auth...

CVE-2025-24358 gorilla/csrf CSRF vulnerability due to broken Referer validation

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

CVE-2025-24358

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

CVE-2025-24358 gorilla/csrf CSRF vulnerability due to broken Referer validation

gorilla/csrf provides Cross Site Request Forgery CSRF prevention middleware for Go web applications & services. Prior to 1.7.2, gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes...

csrf 跨站请求伪造漏洞

csrf is an open source library from Gorilla web toolkit that provides cross-site request forgery csrf prevention middleware for Go web applications and services. A cross-site request forgery vulnerability exists in csrf versions prior to 1.7.2, which stems from an unvalidated Origin header and...

GHSA-RQ77-P4H8-4CRW gorilla/csrf CSRF vulnerability due to broken Referer validation

Summary gorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin. Details gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it...

gorilla/csrf CSRF vulnerability due to broken Referer validation

Summary gorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin. Details gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it...

PT-2025-16379 · Unknown +2 · Gorilla/Csrf +2

Name of the Vulnerable Software and Affected Versions: gorilla/csrf versions prior to 1.7.2 Description: The issue concerns a Cross Site Request Forgery CSRF prevention middleware for Go web applications and services. It does not validate the Origin header against an allowlist prior to version...