{"id":"GO-2025-3683","summary":"Vulnerable to CSRF due to non-functional same-origin request checks in github.com/justinas/nosurf","details":"Vulnerable to CSRF due to non-functional same-origin request checks in github.com/justinas/nosurf","aliases":["CVE-2025-46721","GHSA-w9hf-35q4-vcjw"],"modified":"2025-06-12T14:09:57Z","published":"2025-05-15T19:23:25Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2025-3683","review_status":"REVIEWED"},"references":[{"type":"ADVISORY","url":"https://github.com/justinas/nosurf/security/advisories/GHSA-w9hf-35q4-vcjw"},{"type":"FIX","url":"https://github.com/justinas/nosurf/commit/ec9bb776d8e5ba9e906b6eb70428f4e7b009feee"},{"type":"WEB","url":"https://github.com/advisories/GHSA-rq77-p4h8-4crw"},{"type":"WEB","url":"https://github.com/justinas/nosurf-cve-2025-46721"},{"type":"WEB","url":"https://github.com/justinas/nosurf/releases/tag/v1.2.0"}],"affected":[{"package":{"name":"github.com/justinas/nosurf","ecosystem":"Go","purl":"pkg:golang/github.com/justinas/nosurf"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.0"}]}],"ecosystem_specific":{"imports":[{"symbols":["CSRFHandler.ServeHTTP","New","NewPure"],"path":"github.com/justinas/nosurf"}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2025-3683.json"}}],"schema_version":"1.7.3"}