CVE-2025-24358 is a Cross-Site Request Forgery (CSRF) vulnerability affecting versions of the gorilla/csrf middleware prior to 1.7.3. Gorilla/csrf is a widely used Go language middleware designed to protect web applications and services from CSRF attacks by validating requests to ensure they originate from trusted sources. The vulnerability arises because the middleware does not properly validate the Origin header against an allowlist and only conditionally validates the Referer header for cross-origin requests when it believes the request is served over TLS. This determination relies on the r.URL.Scheme value, which, according to the Go specification, is never populated for "server" requests. Consequently, the Referer header validation does not execute in practice, leaving the application vulnerable. An attacker who has already achieved Cross-Site Scripting (XSS) on a subdomain or the top-level domain can exploit this flaw to perform authenticated form submissions on behalf of users against gorilla/csrf-protected targets sharing the same top-level domain. This attack vector bypasses the CSRF protections intended by the middleware. The vulnerability has a CVSS 4.0 score of 5.4 (medium severity), reflecting its moderate impact and exploitation complexity. No known exploits are currently reported in the wild. The issue is resolved in version 1.7.3 of gorilla/csrf, where proper Origin header validation and consistent Referer header checks are implemented regardless of the request scheme detection. This vulnerability highlights the importance of correctly validating request origins in CSRF defenses, especially in the context of Go web applications where certain request metadata may be absent or unreliable.

For European organizations using Go-based web applications protected by gorilla/csrf middleware versions prior to 1.7.3, this vulnerability poses a significant risk. If an attacker can exploit an existing XSS vulnerability on a subdomain or the main domain, they can leverage this CSRF flaw to perform unauthorized actions on behalf of authenticated users. This can lead to unauthorized data modification, transaction manipulation, or privilege escalation within web applications. The impact is particularly critical for sectors handling sensitive data or critical services, such as finance, healthcare, and government, where unauthorized actions can cause data breaches, financial loss, or operational disruption. The vulnerability does not require prior authentication but does require the attacker to have XSS access on a related domain, which limits the attack surface but still represents a serious chained attack vector. Since gorilla/csrf is a common middleware in Go web services, organizations relying on Go for internal or customer-facing applications are at risk. The lack of proper Origin and Referer validation undermines the trust model of CSRF protection, potentially exposing European enterprises to targeted attacks that exploit domain trust boundaries. Additionally, the vulnerability could facilitate lateral movement within an organization's web infrastructure if subdomains are compromised.

1. Immediate upgrade of gorilla/csrf middleware to version 1.7.3 or later, where the vulnerability is patched with proper Origin header validation and consistent Referer checks. 2. Conduct a thorough audit of all Go web applications to identify usage of vulnerable gorilla/csrf versions. 3. Implement strict Content Security Policy (CSP) headers to reduce the risk and impact of XSS vulnerabilities, thereby limiting the prerequisite for exploiting this CSRF flaw. 4. Enforce subdomain isolation and use separate top-level domains or different domain names for sensitive applications to reduce the risk of cross-domain attacks. 5. Employ additional CSRF mitigation techniques such as double-submit cookies or custom CSRF tokens validated server-side, especially in legacy applications where upgrading middleware is not immediately feasible. 6. Monitor and log unusual authenticated form submissions and cross-origin requests to detect potential exploitation attempts. 7. Educate developers on the importance of validating Origin and Referer headers and understanding Go’s request handling nuances to avoid similar issues. 8. Regularly scan for and remediate XSS vulnerabilities, as they are a prerequisite for exploiting this CSRF vulnerability.