CVE-2025-24358

Name of the Vulnerable Software and Affected Versions gorilla/csrf versions prior to 1.7.2

Description The issue concerns a Cross Site Request Forgery (CSRF) prevention middleware for Go web applications and services. It does not validate the Origin header against an allowlist prior to version 1.7.2. The validation of the Referer header for cross-origin requests is executed only when the request is believed to be served over TLS, determined by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, making the check ineffective. This allows an attacker with XSS on a subdomain or top-level domain to perform authenticated form submissions against protected targets sharing the same top-level domain.

Recommendations For versions prior to 1.7.2, update to version 1.7.2 to fix the issue. As a temporary workaround, consider restricting access to sensitive form submissions to minimize the risk of exploitation.