Miggo Logo
Miggo Vulnerability Database
CVE-2020-36564

CVE-2020-36564: nosurf vulnerable to improper input validation

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36564
GHSA ID
GHSA-5x84-q523-vvwr
EPSS Score
0.2279%
CWE
CWE-20
Published
12/28/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/justinas/nosurfgo< 1.1.11.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) VerifyToken used error-prone base64 decoding that didn't validate input validity, allowing malformed tokens to decode to empty values. 2) The legacy b64decode helper function ignored decoding errors. When combined, these allowed attackers to submit arbitrary tokens that would be considered valid if the expected token was malformed. The patch replaced b64decode with proper error-checked base64 decoding and added length validation in tokensEqual(), confirming these functions as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*u* to improp*r v*li**tion o* **ll*r input, v*li**tion is sil*ntly *is**l** i* t** provi*** *xp**t** tok*n is m*l*orm**, **usin* *ny us*r suppli** tok*n to ** *onsi**r** v*li*.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) `V*ri*yTok*n` us** *rror-pron* `**s***` ***o*in* t**t *i*n't `v*li**t*` input v*li*ity, *llowin* m*l*orm** tok*ns to ***o** to *mpty v*lu*s. *) T** l****y `******o**` **lp*r `*un*tion` i*nor** ***o*in