CVE-2025-46721

Name of the Vulnerable Software and Affected Versions: nosurf versions prior to 1.2.0

Description: A vulnerability in nosurf allows an attacker who controls content on the target site, or on a subdomain of the target site, to bypass CSRF checks and issue requests on a user's behalf. This is due to the misuse of the Go net/http library, which categorizes all incoming requests as plain-text HTTP requests, resulting in the Referer header not being checked for the same origin as the target webpage. If an attacker has control over HTML contents on either the target website or a website hosted on a subdomain of the target, they can manipulate cookies set for the target website, acquire the secret CSRF token from the cookie, or override the cookie with a new token known to the attacker. This enables the attacker to craft cross-site requests to the target website.

Recommendations: For versions prior to 1.2.0, update to nosurf version 1.2.0 to resolve the issue. As a temporary workaround, consider using another HTTP middleware to ensure that a non-safe HTTP request is coming from the same origin, such as requiring a Sec-Fetch-Site: same-origin header in the request.