CVE-2025-47909
📋 TL;DR
This CVE describes a CSRF vulnerability in Go applications using TrustedOrigins where network attackers can bypass same-origin checks. Applications that add hosts to TrustedOrigins are vulnerable to CSRF attacks from both HTTP and HTTPS origins of those hosts. This affects Go applications using vulnerable CSRF protection implementations.
💻 Affected Systems
- Go applications using CSRF protection with TrustedOrigins
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Network attackers can perform CSRF attacks to execute unauthorized actions as authenticated users, potentially leading to account takeover, data theft, or unauthorized transactions.
Likely Case
Attackers can perform CSRF attacks to modify user settings, post unauthorized content, or perform actions within the user's privilege level.
If Mitigated
With proper controls, impact is limited to actions within the user's existing permissions, but still represents unauthorized action execution.
🎯 Exploit Status
Requires network attacker position and knowledge of TrustedOrigins configuration
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Go 1.25
Vendor Advisory: https://pkg.go.dev/vuln/GO-2025-3884
Restart Required: Yes
Instructions:
1. Upgrade to Go 1.25 or later. 2. Migrate to net/http.CrossOriginProtection. 3. Restart affected applications.
🔧 Temporary Workarounds
Use backport module
allUse the filippo.io/csrf module as a drop-in replacement for vulnerable CSRF implementations
go get filippo.io/csrf
go get filippo.io/csrf/gorilla
🧯 If You Can't Patch
- Remove or audit all TrustedOrigins entries to ensure only necessary hosts are included
- Implement additional CSRF protection layers like custom token validation
🔍 How to Verify
Check if Vulnerable:
Check if application uses TrustedOrigins configuration and is not on Go 1.25+ or using the backport moduleCheck Version:
go versionVerify Fix Applied:
Verify application is using Go 1.25+ with net/http.CrossOriginProtection or the filippo.io/csrf module📡 Detection & Monitoring
Log Indicators:
- Unexpected cross-origin requests from HTTP origins of TrustedOrigins hosts
Network Indicators:
- CSRF attempts from HTTP origins matching TrustedOrigins configuration
SIEM Query:
source_ip IN (trusted_origins_hosts) AND protocol = 'http' AND action = 'csrf_attempt'