Source: golang-github-gorilla-csrf Version: 1.7.2+ds1-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for golang-github-gorilla-csrf. CVE-2025-24358[0]: | gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention | middleware for Go web applications & services. Prior to 1.7.2, | gorilla/csrf does not validate the Origin header against an | allowlist. Its executes its validation of the Referer header for | cross-origin requests only when it believes the request is being | served over TLS. It determines this by inspecting the r.URL.Scheme | value. However, this value is never populated for "server" requests | per the Go spec, and so this check does not run in practice. This | vulnerability allows an attacker who has gained XSS on a subdomain | or top level domain to perform authenticated form submissions | against gorilla/csrf protected targets that share the same top level | domain. This vulnerability is fixed in 1.7.2. While the description and the GHSA mention 1.7.2 as beeing fixed I think this is not correct, given the commit[2]? If you disagree, might you double check and maybe with upstream? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-24358 https://www.cve.org/CVERecord?id=CVE-2025-24358 [1] https://github.com/gorilla/csrf/security/advisories/GHSA-rq77-p4h8-4crw [2] https://github.com/gorilla/csrf/commit/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb Please adjust the affected versions in the BTS as needed. Regards, Salvatore
