CVE-2020-36564: nosurf vulnerable to improper input validation

December 28, 2022 (updated December 30, 2022)

Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.

References

github.com/advisories/GHSA-5x84-q523-vvwr
github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
github.com/justinas/nosurf/pull/60
nvd.nist.gov/vuln/detail/CVE-2020-36564
pkg.go.dev/vuln/GO-2020-0049

Code Behaviors & Features

Detect and mitigate CVE-2020-36564 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →