Debian 11: DLA-4151-1 critical: golang-github-gorilla-csrf issue
debian lts
May 1, 2025
The following vulnerability has been discovered in the gorilla/csrf package for Go: Prior to 1.7.3, gorilla/csrf did not validate the Origin header against an allowlist
Topics Covered
Summary
Prior to 1.7.3, gorilla/csrf did not validate the Origin header against
an allowlist. It executed its validation of the Referer header for
cross-origin requests only when it believed the request was being
served over TLS. It determined this by inspecting the r.URL.Scheme
value. However, this value was never populated for "server" requests
per the Go spec, and so this check did not run in practice. This
vulnerability allowed an attacker who has gained XSS on a subdomain
or top level domain to perform authenticated form submissions against
gorilla/csrf protected targets that shared the same top level domain.
For Debian 11 bullseye, this problem has been fixed in version
1.6.2-2+deb11u1.
The following Go packages have been rebuilt in order to fix this
issue:
golang-chroma
golang-github-alecthomas-chroma-dev
golang-github-niklasfasching-go-org-dev
golang-github-yuin-goldmark-highlighting-dev
go-org
hugo
We recommend that you upgrade these packages.
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: golang-github-gorilla-csrf
Version: 1.6.2-2+deb11u1
CVE ID: CVE-2025-24358
Debian Bug: 1103584
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!