CVE-2025-47909: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-47909 is a vulnerability discovered in github.com/gorilla/csrf affecting all versions up to 1.7.3, with no known fixed version. The vulnerability was discovered on April 18th, 2025, and publicly disclosed on August 29th, 2025. The issue affects the TrustedOrigins functionality in the CSRF protection mechanism (Go Project, NVD).

The vulnerability occurs when hosts listed in TrustedOrigins implicitly allow requests from corresponding HTTP origins, enabling network Man-in-the-Middle (MitM) attacks to perform CSRF attacks. After the CVE-2025-24358 fix, while a network attacker's form at http://example.com cannot submit to https://example.com due to Origin header checks, if a host is added to TrustedOrigins, both HTTP and HTTPS origins become allowed because the schema of the synthetic URL is ignored and only the host is checked. The vulnerability has received a CVSS 3.1 Base Score of 7.3 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (NVD).

When exploited, this vulnerability allows network attackers to perform Cross-Site Request Forgery (CSRF) attacks. For example, if an application hosted on https://example.com adds example.net to TrustedOrigins, a network attacker can serve a form at http://example.net to perform the attack. This impacts applications that have added hosts to TrustedOrigins to work around breakages caused by previous security fixes (Go Project).

Applications are recommended to migrate to net/http.CrossOriginProtection, which was introduced in Go 1.25. For applications unable to upgrade, a backport is available as a module at filippo.io/csrf, and a drop-in replacement for the github.com/gorilla/csrf API is available at filippo.io/csrf/gorilla (Go Project).