SCA: security update for github.com/justinas/nosurf (GHSA-w9hf-35q4-vcjw)

medium Tenable Cloud Security Plugin ID 434790

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- nosurf is cross-site request forgery (CSRF) protection middleware for Go. A vulnerability in versions
prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target
site (either via XSS, or otherwise) to bypass CSRF checks and issue requests on user's behalf. Due to
misuse of the Go `net/http` library, nosurf categorizes all incoming requests as plain-text HTTP requests,
in which case the `Referer` header is not checked to have the same origin as the target webpage. If the
attacker has control over HTML contents on either the target website (e.g. `example.com`), or on a website
hosted on a subdomain of the target (e.g. `attacker.example.com`), they will also be able to manipulate
cookies set for the target website. By acquiring the secret CSRF token from the cookie, or overriding the
cookie with a new token known to the attacker, `attacker.example.com` is able to craft cross-site requests
to `example.com`. A patch for the issue was released in nosurf 1.2.0. In lieu of upgrading to a patched
version of nosurf, users may additionally use another HTTP middleware to ensure that a non-safe HTTP
request is coming from the same origin (e.g. by requiring a `Sec-Fetch-Site: same-origin` header in the
request). (CVE-2025-46721)

See Also

https://github.com/advisories/GHSA-w9hf-35q4-vcjw

Plugin Details

Severity: Medium

ID: 434790

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 8/20/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.37

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2025-46721

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6

Threat Score: 5.4

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/14/2025

Vulnerability Publication Date: 5/13/2025

Reference Information

CVE: CVE-2025-46721

cwe: CWE-352