CVE-2025-47909

Name of the Vulnerable Software and Affected Versions Go (affected versions not specified)

Description Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, potentially enabling network attackers to perform Cross-Site Request Forgery (CSRF) attacks. Following the fix for CVE-2025-24358, an attacker attempting to submit a form from http://example.com to https://example.com is prevented because the Origin header is validated against a synthetic URL using sameOrigin. However, adding a host to TrustedOrigins allows both its HTTP and HTTPS origins, as the schema of the synthetic URL is disregarded, and only the host is checked. For instance, if an application hosted on https://example.com adds example.net to TrustedOrigins, an attacker can serve a form at http://example.net to execute the attack.

Recommendations Migrate to net/http.CrossOriginProtection, introduced in Go 1.25. If migration to net/http.CrossOriginProtection is not feasible, utilize the backport available as a module at filippo.io/csrf. Employ the drop-in replacement for the github.com/gorilla/csrf API available at filippo.io/csrf/gorilla.