{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-46721","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-04-28T20:56:09.084Z","datePublished":"2025-05-13T15:29:30.068Z","dateUpdated":"2025-05-13T19:07:23.093Z"},"containers":{"cna":{"title":"nosurf vulnerable to CSRF due to non-functional same-origin request checks","problemTypes":[{"descriptions":[{"cweId":"CWE-352","lang":"en","description":"CWE-352: Cross-Site Request Forgery (CSRF)","type":"CWE"}]}],"metrics":[{"cvssV4_0":{"attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","baseScore":6,"baseSeverity":"MEDIUM","vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N","version":"4.0"}}],"references":[{"name":"https://github.com/justinas/nosurf/security/advisories/GHSA-w9hf-35q4-vcjw","tags":["x_refsource_CONFIRM"],"url":"https://github.com/justinas/nosurf/security/advisories/GHSA-w9hf-35q4-vcjw"},{"name":"https://github.com/justinas/nosurf/commit/ec9bb776d8e5ba9e906b6eb70428f4e7b009feee","tags":["x_refsource_MISC"],"url":"https://github.com/justinas/nosurf/commit/ec9bb776d8e5ba9e906b6eb70428f4e7b009feee"},{"name":"https://github.com/advisories/GHSA-rq77-p4h8-4crw","tags":["x_refsource_MISC"],"url":"https://github.com/advisories/GHSA-rq77-p4h8-4crw"},{"name":"https://github.com/justinas/nosurf-cve-2025-46721","tags":["x_refsource_MISC"],"url":"https://github.com/justinas/nosurf-cve-2025-46721"},{"name":"https://github.com/justinas/nosurf/releases/tag/v1.2.0","tags":["x_refsource_MISC"],"url":"https://github.com/justinas/nosurf/releases/tag/v1.2.0"}],"affected":[{"vendor":"justinas","product":"nosurf","versions":[{"version":"< 1.2.0","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2025-05-13T15:29:30.068Z"},"descriptions":[{"lang":"en","value":"nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass CSRF checks and issue requests on user's behalf. Due to misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the `Referer` header is not checked to have the same origin as the target webpage. If the attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests to `example.com`. A patch for the issue was released in nosurf 1.2.0. In lieu of upgrading to a patched version of nosurf, users may additionally use another HTTP middleware to ensure that a non-safe HTTP request is coming from the same origin (e.g. by requiring a `Sec-Fetch-Site: same-origin` header in the request)."}],"source":{"advisory":"GHSA-w9hf-35q4-vcjw","discovery":"UNKNOWN"}},"adp":[{"references":[{"url":"https://github.com/advisories/GHSA-rq77-p4h8-4crw","tags":["exploit"]}],"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-05-13T19:07:19.880514Z","id":"CVE-2025-46721","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-05-13T19:07:23.093Z"}}]}}