CVE-2020-36625: 
vulnerability analysis and mitigation

A vulnerability was identified in destiny.gg chat (versions <=0.0.0-20220628124252-0981d5add8f3) related to WebSocket upgrade CSRF. The vulnerability, tracked as CVE-2020-36625, was discovered in the websocket.Upgrader function within the main.go file (NVD, FortiGuard).

The vulnerability stems from an improper implementation of the CheckOrigin function in the websocket.Upgrader configuration. The original implementation had the CheckOrigin function returning true by default, which bypassed the necessary origin validation checks for WebSocket upgrade requests. This implementation failed to properly validate request origins, potentially allowing cross-site request forgery attacks (GitHub PR).

The vulnerability could potentially allow attackers to perform cross-site request forgery (CSRF) attacks during WebSocket upgrade requests, as the origin validation was effectively disabled by the CheckOrigin function always returning true (GitHub PR).

The vulnerability was fixed by removing the custom CheckOrigin implementation, allowing the system to fall back to the safe default behavior that only permits WebSocket upgrades when the host component of the Origin header matches the Host header (GitHub PR).