Description
Advisory GHSA-w9hf-35q4-vcjw references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/justinas/nosurf |
Description:
Impact
This vulnerability allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass Cross-Site Request Forgery checks and issue requests on user's behalf.
Details
Due to misuse of the Go net/http library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the Referer header is not checked to have the same origin as the target webpage.
If the attacker has control over HTML contents on either the target website (e.g. example.com), or on a website hosted on a subdomai...
References:
- ADVISORY: GHSA-w9hf-35q4-vcjw
- ADVISORY: GHSA-w9hf-35q4-vcjw
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-46721
- FIX: justinas/nosurf@ec9bb77
- WEB: GHSA-rq77-p4h8-4crw
- WEB: https://github.com/justinas/nosurf-cve-2025-46721
- WEB: https://github.com/justinas/nosurf/releases/tag/v1.2.0
Cross references:
- github.com/justinas/nosurf appears in 1 other report(s):
- data/reports/GO-2020-0049.yaml (dummy issue #49)
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/justinas/nosurf
versions:
- fixed: 1.2.0
vulnerable_at: 1.1.1
summary: nosurf vulnerable to CSRF due to non-functional same-origin request checks in github.com/justinas/nosurf
cves:
- CVE-2025-46721
ghsas:
- GHSA-w9hf-35q4-vcjw
references:
- advisory: https://github.com/advisories/GHSA-w9hf-35q4-vcjw
- advisory: https://github.com/justinas/nosurf/security/advisories/GHSA-w9hf-35q4-vcjw
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-46721
- fix: https://github.com/justinas/nosurf/commit/ec9bb776d8e5ba9e906b6eb70428f4e7b009feee
- web: https://github.com/advisories/GHSA-rq77-p4h8-4crw
- web: https://github.com/justinas/nosurf-cve-2025-46721
- web: https://github.com/justinas/nosurf/releases/tag/v1.2.0
source:
id: GHSA-w9hf-35q4-vcjw
created: 2025-05-14T15:01:35.774052995Z
review_status: UNREVIEWED