Listen to this Post
How the Vulnerability Works
The vulnerability in nosurf (Go CSRF protection library) stems from improper handling of HTTP requests in the `net/http` library. By default, nosurf misclassifies all incoming requests as plain-text HTTP, skipping critical `Referer` header validation. Attackers controlling content on the target domain (e.g., via XSS) or its subdomains (e.g., attacker.example.com) can manipulate cookies to extract/override CSRF tokens. This allows forging malicious requests from compromised subdomains, bypassing same-origin checks. The lack of `Sec-Fetch-Site` enforcement further enables cross-origin attacks.
DailyCVE Form
Platform: Go middleware
Version: <1.2.0
Vulnerability: CSRF bypass
Severity: Critical
Date: 2025-46721
What Undercode Say:
Exploitation
1. Cookie Extraction:
fetch("https://target.com", {credentials: "include"}).then(r => r.headers.get("Set-Cookie"));
2. Token Override:
Set-Cookie: csrf_token=attacker_controlled; Domain=.example.com; Path=/
3. Forged Request:
<form action="https://target.com/transfer" method="POST"> <input type="hidden" name="csrf_token" value="attacker_controlled"> </form>
Protection
1. Upgrade:
go get github.com/justinas/[email protected]
2. Middleware Hardening:
func CSRFMiddleware(next http.Handler) http.Handler {
return nosurf.NewPure(next).SetFailureHandler(http.HandlerFunc(func(w http.ResponseWriter, r http.Request) {
w.WriteHeader(403)
}))
}
3. Headers Enforcement:
add_header Sec-Fetch-Site same-origin always;
Detection
1. Log Analysis:
grep -E "Referer: https?://(?!example.com)" /var/log/nginx/access.log
2. Token Validation:
if !nosurf.VerifyToken(r.FormValue("csrf_token")) {
log.Printf("Invalid CSRF token from IP: %s", r.RemoteAddr)
}
References
- Patch: nosurf v1.2.0
- CVE: CVE-2025-46721
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
