Cryptographically weak random number generation in github.com/dinever/golf
Description
CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The golf web framework for Go used the non-cryptographically secure math/rand to generate CSRF tokens, allowing attackers to predict tokens and bypass CSRF protection.
The golf web framework for Go generated Cross-Site Request Forgery (CSRF) tokens using the math/rand package, which is not a cryptographically secure random number generator [1]. This design flaw made token values predictable, as the output of math/rand can be reverse-engineered with a relatively small number of observations, enabling attackers to forge valid tokens without legitimate access to the session [1].
An attacker can exploit this vulnerability by observing a few CSRF tokens from a legitimate user—for example, by luring them to a malicious site that triggers requests and captures the tokens—and then using the predictable pattern to generate future tokens. Since the tokens are tied to user sessions, the attacker can craft requests that appear to originate from the victim, bypassing the framework's CSRF protection [1].
Successful exploitation allows an attacker to perform actions on behalf of the victim, such as modifying account settings, submitting forms, or executing state-changing operations, all without the victim's knowledge. This effectively undermines the security model that CSRF tokens are meant to enforce [1][3].
The vulnerability was addressed in golf release v0.3.0, which switched to a cryptographically secure random generator for token creation [2]. Users should upgrade to v0.3.0 or later to mitigate the risk. The issue is also tracked as Go vulnerability GO-2020-0045, providing additional guidance [3]. As of this writing, no widespread exploitation in the wild has been reported, but the predictable token generation remains a serious risk for unpatched instances.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/dinever/golfGo | < 0.3.0 | 0.3.0 |
Affected products
3- github.com/dinever/golf/github.com/dinever/golfv5Range: 0
Patches
13776f338be48Merge pull request #24 from bentranter/use-crypto-rand-for-xsrf
1 file changed · +8 −7
xsrf.go+8 −7 modified@@ -1,20 +1,21 @@ package golf import ( + "crypto/rand" "encoding/hex" - "math/rand" - "time" ) const chars = "abcdefghijklmnopqrstuvwxyz0123456789" func randomBytes(strlen int) []byte { - rand.Seed(time.Now().UTC().UnixNano()) - result := make([]byte, strlen) - for i := 0; i < strlen; i++ { - result[i] = chars[rand.Intn(len(chars))] + b := make([]byte, strlen) + _, err := rand.Read(b) + if err != nil { + // panic on failure since this indicates a failure of the system's + // CSPRNG + panic(err) } - return result + return b } func decodeXSRFToken(maskedToken string) ([]byte, []byte, error) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-q9qr-jwpw-3qvvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-15005ghsaADVISORY
- github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1feghsaWEB
- github.com/dinever/golf/issues/20ghsaWEB
- github.com/dinever/golf/pull/24ghsaWEB
- github.com/dinever/golf/releases/tag/v0.3.0ghsaWEB
- pkg.go.dev/vuln/GO-2020-0045ghsaWEB
News mentions
0No linked articles in our index yet.