CVE-2025-47909: github.com/gorilla/csrf improperly validates TrustedOrigins allowing CSRF attacks

The vulnerability, identified as CVE-2025-47909, exists in the github.com/gorilla/csrf library and stems from an improper validation of trusted origins. The analysis of the provided information, including the vulnerability description and the code changes in commit 9dd6af1f6d30fc79fb0d972394deebdabad6b5eb, reveals that the core of the issue lies within the ServeHTTP method of the csrf struct.

The patch introduced a new origin check logic. When a request includes an Origin header, the ServeHTTP function parses it. If the origin is not the same as the request's origin, the code proceeds to check if the origin's host is present in the TrustedOrigins list. The critical flaw is in this check: slices.Contains(cs.opts.TrustedOrigins, parsedOrigin.Host). This comparison only considers the host part of the origin, completely ignoring the scheme (HTTP or HTTPS).

This flaw allows a network attacker to set up a malicious form on an HTTP domain that is listed in the TrustedOrigins of a target application running on HTTPS. For example, if https://example.com trusts example.net, an attacker can host a malicious form on http://example.net. When a user on the same network visits this page, the form can submit requests to https://example.com. The CSRF protection will fail because while http://example.net is not the same origin as https://example.com, the host example.net is in the TrustedOrigins list, and the scheme is not checked, thus bypassing the protection.

The vulnerable function is csrf.ServeHTTP, as it contains the flawed logic for origin validation. This function would appear in a runtime profile during the exploitation of this vulnerability.