Name of the Vulnerable Software and Affected Versions:

Go (affected versions not specified)

Description:

Hosts listed in `TrustedOrigins` implicitly allow requests from the corresponding HTTP origins, potentially enabling network attackers to perform Cross-Site Request Forgery (CSRF) attacks. Following the fix for CVE-2025-24358, an attacker attempting to submit a form from `http://example.com` to `https://example.com` is prevented because the Origin header is validated against a synthetic URL using sameOrigin. However, adding a host to `TrustedOrigins` allows both its HTTP and HTTPS origins, as the schema of the synthetic URL is disregarded, and only the host is checked. For instance, if an application hosted on `https://example.com` adds `example.net` to `TrustedOrigins`, an attacker can serve a form at `http://example.net` to execute the attack.

Recommendations:

Migrate to `net/http.CrossOriginProtection`, introduced in Go 1.25.

If migration to `net/http.CrossOriginProtection` is not feasible, utilize the backport available as a module at `filippo.io/csrf`.

Employ the drop-in replacement for the `github.com/gorilla/csrf` API available at `filippo.io/csrf/gorilla`.