Update module github.com/gorilla/csrf to v1.7.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gorilla/csrf	v1.7.1 → v1.7.3

GitHub Vulnerability Alerts

CVE-2025-24358

Summary

gorilla/csrf is vulnerable to CSRF via form submission from origins that share a top level domain with the target origin.

Details

gorilla/csrf does not validate the Origin header against an allowlist. Its executes its validation of the Referer header for cross-origin requests only when it believes the request is being served over TLS. It determines this by inspecting the r.URL.Scheme value. However, this value is never populated for "server" requests per the Go spec, and so this check does not run in practice.

	// URL specifies either the URI being requested (for server
	// requests) or the URL to access (for client requests).
	//
	// For server requests, the URL is parsed from the URI
	// supplied on the Request-Line as stored in RequestURI.  For
	// most requests, fields other than Path and RawQuery will be
	// empty. (See [RFC 7230, Section 5.3](https://rfc-editor.org/rfc/rfc7230.html#section-5.3))
	//
	// For client requests, the URL's Host specifies the server to
	// connect to, while the Request's Host field optionally
	// specifies the Host header value to send in the HTTP
	// request.
	URL *[url](https://pkg.go.dev/net/url).[URL](https://pkg.go.dev/net/url#URL)

PoC

• create trusted origin target.example.test protected with gorilla/csrf and served over TLS hosting form on /submit
• create attacker origin attack.example.test served over TLS
• attacker exfiltrates token & cookie combination from target.example.test
• attacker sets exfiltrated cookie with domain=.example.test and path=/submit
  • as the cookie has a more specific path than / (the default for CSRF cookies) it will be sent first by the browser on submit to our target origin
• submit form from attack.example.test with exfiltrated CSRF form token
• observe valid form submission as attack.example.test Origin / Referer headers are not validated.

Impact

This vulnerability allows an attacker who has gained XSS on a subdomain or top level domain to perform authenticated form submissions against gorilla/csrf protected targets that share the same top level domain.

This bug has existed in gorilla/csrf since its initial release in 2015.

---

Release Notes

gorilla/csrf (github.com/gorilla/csrf)

v1.7.3

Compare Source

This Release fixes the following:

• CVE-2025-24358

Full Changelog: gorilla/csrf@v1.7.2...v1.7.3

v1.7.2

Compare Source

What's Changed

• Remove pkg/errors dependency by @​husio in #​161
• Update README.md by @​coreydaley in #​164
• [GPT-96] Update go version & add verification/testing tools by @​apoorvajagtap in #​166
• updated licence by @​apoorvajagtap in #​167
• Update issues.yml by @​coreydaley in #​168
• issues/158/examples for working api with javascript frontend by @​francoposa in #​162
• updating github action workflows by @​coreydaley in #​169
• Updating gorilla/securecookie to v1.1.2 by @​coreydaley in #​170

New Contributors

• @​husio made their first contribution in #​161
• @​coreydaley made their first contribution in #​164
• @​apoorvajagtap made their first contribution in #​166
• @​francoposa made their first contribution in #​162

Full Changelog: gorilla/csrf@v1.7.1...v1.7.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 1 additional dependency was updated

Details:

Package	Change
github.com/gorilla/securecookie	v1.1.1 -> v1.1.2