6

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-46721

GHSA ID

GHSA-w9hf-35q4-vcjw

EPSS Score

0.00498%

CWE

CWE-352

Published

5/14/2025

Updated

5/14/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-46721

CVE-2025-46721: nosurf vulnerable to CSRF due to non-functional same-origin request checks

Impact

This vulnerability allows an attacker who controls content on the target site, or on a subdomain of the target site (either via XSS, or otherwise) to bypass Cross-Site Request Forgery checks and issue requests on user's behalf.

Details

Due to misuse of the Go net/http library, nosurf categorizes all incoming requests as plain-text HTTP requests, in which case the Referer header is not checked to have the same origin as the target webpage.

If the attacker has control over HTML contents on either the target website (e.g. example.com), or on a website hosted on a subdomain of the target (e.g. attacker.example.com), they will also be able to manipulate cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the cookie with a new token known to the attacker, attacker.example.com is able to craft cross-site requests to example.com.

Patches

A patch for the issue was released in nosurf 1.2.0.

Workarounds

In lieu of upgrading to a patched version of nosurf, users may additionally use another HTTP middleware to ensure that a non-safe HTTP request is coming from the same origin (e.g. by requiring a Sec-Fetch-Site: same-origin header in the request).

References

https://github.com/advisories/GHSA-rq77-p4h8-4crw https://github.com/justinas/nosurf-cve-2025-46721 https://www.cve.org/CVERecord?id=CVE-2025-46721 https://github.com/justinas/nosurf/releases/tag/v1.2.0

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-46721

CVE-2025-46721:

6

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2025-46721

GHSA ID

GHSA-w9hf-35q4-vcjw

EPSS Score

0.00498%

CWE

CWE-352

Published

5/14/2025

Updated

5/14/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/justinas/nosurf	go	< 1.2.0	1.2.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description states that nosurf failed to check the Referer header for requests it categorized as plain-text HTTP. The provided commit ec9bb776d8e5ba9e906b6eb70428f4e7b009feee shows modifications to handler.go. The core change is within the (*CSRFHandler).ServeHTTP method. The diff shows the removal of a conditional block that only checked the Referer header if r.URL.Scheme == "https". This conditional check is the direct cause of the vulnerability, as requests not meeting this condition (e.g., HTTP requests, or HTTPS requests where the Go application sees them as HTTP due to a terminating proxy) would bypass the Referer validation. The patch replaces this flawed inline logic with a call to a new method h.ensureSameOrigin(r), which implements more comprehensive origin verification (checking Sec-Fetch-Site, Origin, and then Referer, with configurable TLS detection). Therefore, (*CSRFHandler).ServeHTTP is identified as the vulnerable function because it housed the insufficient origin check logic that led to the CSRF vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-46721: nosurf vulnerable to CSRF due to non-functional same-origin request checks

Impact

Details

Patches

Workarounds

References

CVE-2025-46721:

6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

6

6

CVE-2025-46721: nosurf vulnerable to CSRF due to non-functional same-origin request checks

Impact

Details

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI