Gorilla CSRF TrustedOrigins Vulnerability Allowing CSRF Attacks

A vulnerability in the Gorilla CSRF package allows for Cross-Site Request Forgery (CSRF) attacks via the TrustedOrigins feature. When a host is added to TrustedOrigins, requests from both its HTTP and HTTPS origins are implicitly allowed. This can be exploited by a network attacker who serves a form from an HTTP origin that is trusted, which will then be accepted by the application regardless of the secure HTTPS origin. This vulnerability affects all versions of the Gorilla CSRF package.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery attacks, where a network attacker can trick a user into performing actions on a web application without their consent.

Reproduction

To reproduce this vulnerability, add a host to the TrustedOrigins list in a Go application using the Gorilla CSRF package. Once the host is trusted, a form can be served from an HTTP origin of that host, and it will be accepted by the application as a valid request, bypassing the same-origin policy that normally protects against such attacks.

Remediation

Applications should migrate to the net/http.CrossOriginProtection feature, introduced in Go 1.25. If migration is not possible, a backport is available as a module at filippo.io/csrf, and a drop-in replacement for the Gorilla CSRF API is also available at filippo.io/csrf/gorilla.