Cross-Site Request Forgery Vulnerability in Go Applications by TrustedOrigins
CVE-2025-47909

Currently unrated

Key Information:

Vendor: Github.com/gorilla/csrf
Status: Github.com/gorilla/csrf
Vendor: CVE Published:; 29 August 2025

🔔 Create Github.com/gorilla/csrf Vulnerability Alert

What is CVE-2025-47909?

The vulnerability in Go applications arises from the improper handling of TrustedOrigins, which permits network attackers to exploit Cross-Site Request Forgery (CSRF) attacks. When a host is included in the TrustedOrigins list, it fails to properly validate the request origins, allowing both HTTP and HTTPS requests. This flaw can be manipulated by attackers who can host forms on malicious domains, leading to unauthorized actions being executed on behalf of users. To mitigate this risk, developers should transition to using net/http.CrossOriginProtection, or utilize backported alternatives available for older versions.

Affected Version(s)

github.com/gorilla/csrf 0

References

https://github.com/golang/vulndb/issues/3884

https://pkg.go.dev/vuln/GO-2025-3884

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 29, 2025
Vulnerability Reserved
May 13, 2025

Credit

Filippo Valsorda