Cross-Site Request Forgery Vulnerability in Go Applications by TrustedOrigins
CVE-2025-47909

7.3HIGH

Key Information:

Vendor: Github.com/gorilla/csrf
Status: Github.com/gorilla/csrf
Vendor: CVE Published:; 29 August 2025

🔔 Create Github.com/gorilla/csrf Vulnerability Alert

What is CVE-2025-47909?

The vulnerability in Go applications arises from the improper handling of TrustedOrigins, which permits network attackers to exploit Cross-Site Request Forgery (CSRF) attacks. When a host is included in the TrustedOrigins list, it fails to properly validate the request origins, allowing both HTTP and HTTPS requests. This flaw can be manipulated by attackers who can host forms on malicious domains, leading to unauthorized actions being executed on behalf of users. To mitigate this risk, developers should transition to using net/http.CrossOriginProtection, or utilize backported alternatives available for older versions.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

github.com/gorilla/csrf 0

References

https://github.com/golang/vulndb/issues/3884

https://pkg.go.dev/vuln/GO-2025-3884

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 29, 2025
Vulnerability Reserved
May 13, 2025

Credit

Filippo Valsorda

JSON

Github.com/gorilla/csrf