CVE-2020-36564: 
vulnerability analysis and mitigation

The vulnerability (CVE-2020-36564) affects the nosurf package in Go before version v1.1.1. Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user-supplied token to be considered valid. This vulnerability was discovered in August 2020 and fixed in version v1.1.1 (Go Packages).

The vulnerability exists in the VerifyToken function where it fails to properly validate malformed tokens. Before the patch, the function would incorrectly allow arbitrary token pairs to appear as equal, including empty strings and invalid base64 encoded values. The issue occurs because the function did not properly handle base64 decoding errors and special cases, allowing bypass of the token validation (GitHub PR).

This vulnerability could allow an attacker to bypass CSRF protection if they can trick the application into using an arbitrary value as the real token. While the vulnerability is not directly exploitable when using the standard nosurf.Token(r) function, it becomes critical in cases where developers might pass an empty string as the real token due to code bugs or when mocking the token in tests (GitHub PR).

The issue has been fixed in version v1.1.1 of the nosurf package. The fix includes proper handling of empty values and base64 decoding errors as verification failures. Users should upgrade to version v1.1.1 or later to address this vulnerability (Go Packages).