{“lastseen”:”2025-08-14T16:27:48″,”description”:”Geomys is an organization of professional open source maintainers, focused on a portfolio of critical Go projects. For example, we are two thirds of the Go standard library cryptography maintainers, we provide the FIPS 140-3 validation of the upstream Go Cryptographic Module, and we fund the maintenance of x\/crypto\/ssh and staticcheck amongst others.\\n\\nOur retainer clients engage us both to get access to our expertise, and so that the critical dependencies they rely on are professionally maintained. Beyond our portfolio, we sometimes act as _maintainers of last resort_ when critical, security-relevant Go projects go unmaintained.\\n\\nRecently, there were two occasions in which we stepped into this informal role:\\n\\n * we took over maintenance of the popular bluemonday HTML sanitizer when the maintainer chose to move on; and\\n * we built alternative upgrade paths for the seemingly unmaintained gorilla\/csrf library, by introducing a new carefully researched implementation into the standard library and creating a drop-in package replacement, after we discovered a security vulnerability in the original.\\n\\n\\n\\nWe can professionally serve in this role, including contracting external help, thanks to the sustainable funding of our retainer agreements. Our clients benefit from our maintenance efforts, and have a direct line to highlight projects in need.\\n\\n## bluemonday\\n\\nbluemonday is the most popular HTML sanitizer in the Go ecosystem, used by thousands of applications and libraries to clean up user-generated markup before including it in web pages. Needless to say, it\u2019s a security-critical, load-bearing component.\\n\\nIn late 2023, the sole previous maintainer announced that their new professional circumstances were not compatible with volunteer OSS work, and that they were looking for responsible ways to wind it down. Geomys offered to take over maintenance instead.\\n\\nOver 2024, Geomys worked with the maintainer to take over the project at its original location, avoiding the disruption of a deprecation, and guaranteeing a natural path for future security updates.\\n\\nSince we work on Go and open source on a daily basis, the marginal load for Geomys is tiny, but there is outsized value to the community in knowing that security reports would be handled by dedicated professionals that can prioritize them appropriately.\\n\\nBeyond handling security and critical issues, we are also discussing bringing on a domain subject expert on a contract basis to improve safety in edge cases and to future-proof the library further. Again, we can do that because we are sustainably funded through our retainer agreements.\\n\\nThis was welcomed as a great outcome by the original maintainer. The existence of a maintainer of last resort is not only beneficial to the consumers of the ecosystem, but also releases a lot of pressure from volunteer maintainers who would otherwise sometimes carry unsustainable loads out of a sense of duty.\\n\\n## gorilla\/csrf\\n\\ngorilla\/csrf is an extremely popular Cross-Site Request Forgery protection middleware.\\n\\nIn December 2024, Patrick O’Doherty discovered that the library was unintentionally vulnerable to _schemelessly_ same-site cross-origin request forgeries. This means `https:\/\/admin.example.com` could be attacked by `https:\/\/blog.example.com` or, even worse, `http:\/\/foo.example.com`. Unless HTTP Strict-Transport-Security with `includeSubDomains` is used, any network attacker can control the latter and mount the attack. This was fixed publicly in January, but a new release (v1.7.3) and an advisory (CVE-2025-24358) weren\u2019t published until April.\\n\\nAlerted by Patrick\u2019s finding, we looked into the library, and found a further issue that again allowed network attackers to mount CSRF attacks if the application used the `TrustedOrigins` option. We reported this to the project on April 18th, 2025; however, it hasn\u2019t been acknowledged and the project appears unmaintained. (We are publicly disclosing it as the customary 90-day deadline has lapsed, and all the upgrade paths listed below are available as of yesterday, with the release of Go 1.25.)\\n\\nWe tried reaching out to past maintainers via email and Slack to offer to take over the project, but unfortunately never heard back. Therefore, we set out to find other solutions to fill this critical CSRF-shaped hole in the ecosystem.\\n\\n 1. First, we researched the landscape of CSRF countermeasures, and consulted with subject experts, including some of the authors of relevant Web specifications. We found that modern browsers provide security metadata in request headers that makes it possible to reject cross-origin requests without any tokens or keys, leading to a drastically better developer experience, better security, and fewer false positives! The results of that investigation are public for other projects that may benefit from it.\\n 2. Second, we proposed and introduced a new CrossOriginProtection middleware in the `net\/http` standard library package. It is part of Go 1.25, released yesterday, and we recommend all gorilla\/csrf users consider switching to it. We trust that a standard library solution will safely serve the ecosystem going forward.\\n 3. For applications that are not ready to update to Go 1.25, we made a nearly-identical middleware available as a Go module, at filippo.io\/csrf.\\n 4. Finally, we made a drop-in replacement package for the whole gorilla\/csrf API that uses the new countermeasures instead: filippo.io\/csrf\/gorilla. We tried to minimize any side-effects of the substitution, for example by returning random values in place of the now disused tokens, but we invite you to read the package docs.\\n\\n\\n\\nAgain, all of this is enabled by and part of the Geomys retainer contracts. If you work at a company with a critical dependency on the Go ecosystem, consider reaching out at hi@geomys.org. Regardless, you might also want to follow me on Bluesky at @filippo.abyssdomain.expert or on Mastodon at @filippo@abyssdomain.expert.\\n\\n## The picture\\n\\nSince we’re talking about Geomys, here’s a throwback to\u2026 last year? Was it just last year?? Anyway, we sponsored GopherCon US and set up a booth mostly to cover it with my collection of gophers and pins.\\n\\n\\n\\nGeomys is funded by Smallstep, Ava Labs, Teleport, Tailscale, and Sentry. Here are a few words from some of them!\\n\\nTeleport \u2014 For the past five years, attacks and compromises have been shifting from traditional malware and security breaches to identifying and compromising valid user accounts and credentials with social engineering, credential theft, or phishing. Teleport Identity is designed to eliminate weak access patterns through access monitoring, minimize attack surface with access requests, and purge unused permissions via mandatory access reviews.\\n\\nAva Labs \u2014 We at Ava Labs, maintainer of AvalancheGo (the most widely used client for interacting with the Avalanche Network), believe the sustainable maintenance and development of open source cryptographic protocols is critical to the broad adoption of blockchain technology. We are proud to support this necessary and impactful work through our ongoing sponsorship of Filippo and his team.”,”published”:”2025-08-14T14:23:59″,”modified”:”2025-08-14T14:23:59″,”type”:”filippoio”,”title”:”Maintainers of Last Resort”,”source”:””,”references”:””,”id”:”FILIPPOIO:F563E51346B142875A0AA33552E9FA3D”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[“CVE-2025-24358″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:6,”severity”:”MEDIUM”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:P\/PR:N\/UI:P\/VC:N\/SC:N\/VI:H\/SI:N\/VA:N\/SA:N\/E:P”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/words.filippo.io\/last-resort\/”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-08-14T16:27:48″,”description”:”Geomys is an organization of professional open source maintainers, focused on a portfolio of critical Go projects. For example, we are two thirds of the…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,37,12,162,21,13,7,11,5],"class_list":["post-12962","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-60","tag-exploit","tag-filippoio","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n