Search criteria
2 vulnerabilities by nosurf_project
CVE-2025-46721 (GCVE-0-2025-46721)
Vulnerability from cvelistv5 – Published: 2025-05-13 15:29 – Updated: 2025-05-13 19:07
VLAI
Title
nosurf vulnerable to CSRF due to non-functional same-origin request checks
Summary
nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue requests on user's behalf. Due to misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the `Referer` header is not checked to have the same origin as the target webpage. If the attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests to `example.com`. A patch for the issue was released in nosurf 1.2.0. In lieu of upgrading to a patched version of nosurf, users may additionally use another HTTP middleware to ensure that a non-safe HTTP request is coming from the same origin (e.g. by requiring a `Sec-Fetch-Site: same-origin` header in the request).
Severity
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/justinas/nosurf/security/advis… | x_refsource_CONFIRM |
| https://github.com/justinas/nosurf/commit/ec9bb77… | x_refsource_MISC |
| https://github.com/advisories/GHSA-rq77-p4h8-4crw | x_refsource_MISC |
| https://github.com/justinas/nosurf-cve-2025-46721 | x_refsource_MISC |
| https://github.com/justinas/nosurf/releases/tag/v1.2.0 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46721",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-13T19:07:19.880514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T19:07:23.093Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/advisories/GHSA-rq77-p4h8-4crw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nosurf",
"vendor": "justinas",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue requests on user\u0027s behalf. Due to misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the `Referer` header is not checked to have the same origin as the target webpage. If the attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests to `example.com`. A patch for the issue was released in nosurf 1.2.0. In lieu of upgrading to a patched version of nosurf, users may additionally use another HTTP middleware to ensure that a non-safe HTTP request is coming from the same origin (e.g. by requiring a `Sec-Fetch-Site: same-origin` header in the request)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-13T15:29:30.068Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/justinas/nosurf/security/advisories/GHSA-w9hf-35q4-vcjw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/justinas/nosurf/security/advisories/GHSA-w9hf-35q4-vcjw"
},
{
"name": "https://github.com/justinas/nosurf/commit/ec9bb776d8e5ba9e906b6eb70428f4e7b009feee",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/justinas/nosurf/commit/ec9bb776d8e5ba9e906b6eb70428f4e7b009feee"
},
{
"name": "https://github.com/advisories/GHSA-rq77-p4h8-4crw",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/advisories/GHSA-rq77-p4h8-4crw"
},
{
"name": "https://github.com/justinas/nosurf-cve-2025-46721",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/justinas/nosurf-cve-2025-46721"
},
{
"name": "https://github.com/justinas/nosurf/releases/tag/v1.2.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/justinas/nosurf/releases/tag/v1.2.0"
}
],
"source": {
"advisory": "GHSA-w9hf-35q4-vcjw",
"discovery": "UNKNOWN"
},
"title": "nosurf vulnerable to CSRF due to non-functional same-origin request checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46721",
"datePublished": "2025-05-13T15:29:30.068Z",
"dateReserved": "2025-04-28T20:56:09.084Z",
"dateUpdated": "2025-05-13T19:07:23.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36564 (GCVE-0-2020-36564)
Vulnerability from cvelistv5 – Published: 2022-12-27 21:13 – Updated: 2025-04-11 16:26
VLAI
Title
Improper input validation in github.com/justinas/nosurf
Summary
Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
Severity
7.5 (High)
CWE
- CWE 345: Insufficient Verification of Data Authenticity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| github.com/justinas/nosurf | github.com/justinas/nosurf |
Affected:
0 , < 1.1.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/justinas/nosurf/pull/60"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2020-0049"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:25:49.012598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:26:19.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "github.com/justinas/nosurf",
"product": "github.com/justinas/nosurf",
"programRoutines": [
{
"name": "VerifyToken"
},
{
"name": "verifyToken"
},
{
"name": "CSRFHandler.ServeHTTP"
}
],
"vendor": "github.com/justinas/nosurf",
"versions": [
{
"lessThan": "1.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "@aeneasr"
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 345: Insufficient Verification of Data Authenticity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T19:04:04.728Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://github.com/justinas/nosurf/pull/60"
},
{
"url": "https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314"
},
{
"url": "https://pkg.go.dev/vuln/GO-2020-0049"
}
],
"title": "Improper input validation in github.com/justinas/nosurf"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2020-36564",
"datePublished": "2022-12-27T21:13:31.590Z",
"dateReserved": "2022-07-29T18:39:05.265Z",
"dateUpdated": "2025-04-11T16:26:19.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}