Source: golang-github-gorilla-csrf
Version: 1.7.2+ds1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc:
carnil@debian.org, Debian Security Team <
team@security.debian.org>
Hi,
The following vulnerability was published for golang-github-gorilla-csrf.
CVE-2025-24358[0]:
| gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention
| middleware for Go web applications & services. Prior to 1.7.2,
| gorilla/csrf does not validate the Origin header against an
| allowlist. Its executes its validation of the Referer header for
| cross-origin requests only when it believes the request is being
| served over TLS. It determines this by inspecting the r.URL.Scheme
| value. However, this value is never populated for "server" requests
| per the Go spec, and so this check does not run in practice. This
| vulnerability allows an attacker who has gained XSS on a subdomain
| or top level domain to perform authenticated form submissions
| against gorilla/csrf protected targets that share the same top level
| domain. This vulnerability is fixed in 1.7.2.
While the description and the GHSA mention 1.7.2 as beeing fixed I
think this is not correct, given the commit[2]? If you disagree, might
you double check and maybe with upstream?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-24358
https://www.cve.org/CVERecord?id=CVE-2025-24358
[1]
https://github.com/gorilla/csrf/security/advisories/GHSA-rq77-p4h8-4crw
[2]
https://github.com/gorilla/csrf/commit/9dd6af1f6d30fc79fb0d972394deebdabad6b5eb
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)