CVE-2025-24358 - CSRF Vulnerability in Gorilla/csrf Prior to 1.7.2 Allows Authenticated Form Submissions by Attackers

The Go web application and service middleware gorilla/csrf is a popular library that provides Cross Site Request Forgery (CSRF) prevention. However, the library exhibits a CSRF vulnerability (CVE-2025-24358) in all its versions prior to 1.7.2, due to an oversight in validating the Origin header against an allowlist. This security flaw potentially permits attackers with access to a subdomain or top-level domain to perform authenticated form submissions on targets protected by gorilla/csrf.

The vulnerability lies within the following piece of code

if r.URL.Scheme == "https" {
	origin := r.Header.Get("Origin")
	if origin == "" {
		origin = r.Header.Get("Referer")
	}
	headerOk := false
	for i := range s.Domains {
		if strings.HasSuffix(origin, s.Domains[i]) {
			headerOk = true
			break
		}
	}
	if !headerOk {
		return ErrNoReferer
	}
}

The code checks if the request is being served over TLS by inspecting the r.URL.Scheme value. However, the Go specification states that this value should never actually be populated for "server" requests. As a consequence, this TLS check does not function in practice and thus allows an attacker to exploit the vulnerability.

Exploit Details

A successful exploitation of the vulnerability allows an attacker to perform authenticated form submissions against gorilla/csrf protected targets sharing the same top-level domain.

For example, if an attacker has gained XSS access on example.com, they can submit CSRF requests on another subdomain like accounts.example.com, provided that both utilize gorilla/csrf.

Original References and Fix

The vulnerability was first disclosed on GitHub:
- Issue #86
- Pull Request #87
- Commit

This vulnerability has been fixed in gorilla/csrf version 1.7.2. It is highly recommended to upgrade to this version to ensure the security of your Go web applications and services. The fixed code snippet looks like this:

origin := r.Header.Get("Origin")
if origin == "" {
	origin = r.Header.Get("Referer")
}
headerOk := false
for i := range s.Domains {
	if strings.HasSuffix(origin, s.Domains[i]) {
		headerOk = true
		break
	}
}
if !headerOk {
	return ErrNoReferer
}

You can find the library gorilla/csrf on GitHub and begin using version 1.7.2 to protect your applications against CSRF vulnerabilities.

Timeline

Published on: 04/15/2025 19:16:07 UTC
Last modified on: 05/01/2025 11:15:53 UTC