CVE-2025-47909

Public on 2025-08-29
Modified on 2025-09-04
Description
Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin header is checked with sameOrigin against a synthetic URL. However, if a host is added to TrustedOrigins, both its HTTP and HTTPS origins will be allowed, because the schema of the synthetic URL is ignored and only the host is checked. For example, if an application is hosted on https://example.com and adds example.net to TrustedOrigins, a network attacker can serve a form at http://example.net to perform the attack. Applications should migrate to net/http.CrossOriginProtection, introduced in Go 1.25. If that is not an option, a backport is available as a module at filippo.io/csrf, and a drop-in replacement for the github.com/gorilla/csrf API is available at filippo.io/csrf/gorilla.
Severity
Important severity
Important
See what this means
CVSS v3 Base Score
7.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Core amazon-cloudwatch-agent Not Affected
Amazon Linux 2023 amazon-cloudwatch-agent Not Affected
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra amazon-ecr-credential-helper Not Affected
Amazon Linux 2 - Docker Extra amazon-ecr-credential-helper Not Affected
Amazon Linux 2 - Ecs Extra amazon-ecr-credential-helper Not Affected
Amazon Linux 2023 amazon-ecr-credential-helper Not Affected
Amazon Linux 1 amazon-ssm-agent Not Affected
Amazon Linux 2 - Core amazon-ssm-agent Not Affected
Amazon Linux 2023 amazon-ssm-agent Not Affected
Amazon Linux 2 - Core cni-plugins Not Affected
Amazon Linux 2023 cni-plugins Not Affected
Amazon Linux 1 containerd Not Affected
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra containerd Not Affected
Amazon Linux 2 - Docker Extra containerd Not Affected
Amazon Linux 2 - Ecs Extra containerd Not Affected
Amazon Linux 2023 containerd Not Affected
Amazon Linux 2 - Core cri-tools Not Affected
Amazon Linux 1 docker Not Affected
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra docker Not Affected
Amazon Linux 2 - Docker Extra docker Not Affected
Amazon Linux 2 - Ecs Extra docker Not Affected
Amazon Linux 2023 docker Not Affected
Amazon Linux 2 - Ecs Extra ecs-init Not Affected
Amazon Linux 2023 ecs-init Not Affected
Amazon Linux 1 golang Not Affected
Amazon Linux 2 - Core golang Not Affected
Amazon Linux 2023 golang Not Affected
Amazon Linux 2 - Core golang-github-cpuguy83-go-md2man Not Affected
Amazon Linux 2 - Core golist Not Affected
Amazon Linux 2023 libcap Not Affected
Amazon Linux 2 - Core nerdctl Not Affected
Amazon Linux 2023 nerdctl Not Affected
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra oci-add-hooks Not Affected
Amazon Linux 2 - Docker Extra oci-add-hooks Not Affected
Amazon Linux 2 - Ecs Extra oci-add-hooks Not Affected
Amazon Linux 2023 oci-add-hooks Not Affected
Amazon Linux 1 runc Not Affected
Amazon Linux 2 - Aws-nitro-enclaves-cli Extra runc Not Affected
Amazon Linux 2 - Docker Extra runc Not Affected
Amazon Linux 2 - Ecs Extra runc Not Affected
Amazon Linux 2023 runc Not Affected
Amazon Linux 2 - Docker Extra runfinch-finch Not Affected
Amazon Linux 2023 runfinch-finch Not Affected
Amazon Linux 2 - Docker Extra soci-snapshotter Not Affected
Amazon Linux 2023 soci-snapshotter Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
NVD CVSSv3 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2025-47909 Mitre: CVE-2025-47909