Gorilla CSRF, Improper TrustedOrigins Validation, CVE-2025-24358 (Moderate)

By /

Listen to this Post

The CVE-2025-24358 vulnerability in the github.com/gorilla/csrf package stems from a flaw in how the `TrustedOrigins` list is validated. The fix for a previous issue ensured strict same-origin checks by comparing the `Origin` header against the target URL. However, when a host is explicitly added to the `TrustedOrigins` allowlist, the validation logic only checks the hostname and port, completely ignoring the scheme (HTTP or HTTPS). This creates a security mismatch: if an application on https://example.com` adds `example.net` to its trusted origins, the middleware will incorrectly also trust requests from the HTTP origin, `http://example.net`. A man-in-the-middle attacker can exploit this by serving a malicious form from the HTTP endpoint of a trusted domain, bypassing the CSRF protection and forcing the victim's browser to submit a forged request to the secure HTTPS application.
Platform: Gorilla/Go
Version: pre-1.25
Vulnerability: CSRF Bypass
Severity: Moderate

date: 2025-08-29

Prediction: Patch available

What Undercode Say:

go list -m github.com/gorilla/csrf
go get filippo.io/csrf/gorilla@latest

import "filippo.io/csrf/gorilla"
// Replace: csrf.Protect([]byte("32-byte-long-auth-key"))
csrf.Protect([]byte("32-byte-long-auth-key"), csrf.TrustedOrigins([]string{"trusted.com"}))

How Exploit:

Attacker hosts form on `http://trusted-domain.com` which submits tohttps://victim-app.com`. Victim user, with an active session on the victim app, is tricked into loading the attacker’s HTTP page. The browser sends the user’s session cookies with the forged request. The flawed validation sees the `trusted-domain.com` host in the Origin header and, finding it in the TrustedOrigins list, allows the request, performing the unintended action.

Protection from this CVE:

Migrate to `net/http.CrossOriginProtection`.

Use `filippo.io/csrf` backport.

Immediately update library.

Impact:

Cross-Site Request Forgery

Session Hijacking

Privilege Escalation

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top