Geomys is an organization of professional open source maintainers, focused on a portfolio of critical Go projects. For example, we are two thirds of the Go standard library cryptography maintainers, we provide the FIPS 140-3 validation of the upstream Go Cryptographic Module, and we fund the maintenance of x/crypto/ssh and staticcheck amongst others.
Our retainer clients engage us both to get access to our expertise, and so that the critical dependencies they rely on are professionally maintained. Beyond our portfolio, we sometimes act as maintainers of last resort when critical, security-relevant Go projects go unmaintained.
Recently, there were two occasions in which we stepped into this informal role:
We can professionally serve in this role, including contracting external help, thanks to the sustainable funding of our retainer agreements. Our clients benefit from our maintenance efforts, and have a direct line to highlight projects in need.
This is a Maintainer Dispatches issue, providing the Geomys background for yesterday's Cryptography Dispatches issue on CSRF. (If you are only interested in the technical posts, you can select which emails you want to receive, under Your preferences.)
bluemonday is the most popular HTML sanitizer in the Go ecosystem, used by thousands of applications and libraries to clean up user-generated markup before including it in web pages. Needless to say, it’s a security-critical, load-bearing component.
In late 2023, the sole previous maintainer announced that their new professional circumstances were not compatible with volunteer OSS work, and that they were looking for responsible ways to wind it down. Geomys offered to take over maintenance instead.
Over 2024, Geomys worked with the maintainer to take over the project at its original location, avoiding the disruption of a deprecation, and guaranteeing a natural path for future security updates.
Since we work on Go and open source on a daily basis, the marginal load for Geomys is tiny, but there is outsized value to the community in knowing that security reports would be handled by dedicated professionals that can prioritize them appropriately.
Beyond handling security and critical issues, we are also discussing bringing on a domain subject expert on a contract basis to improve safety in edge cases and to future-proof the library further. Again, we can do that because we are sustainably funded through our retainer agreements.
This was welcomed as a great outcome by the original maintainer. The existence of a maintainer of last resort is not only beneficial to the consumers of the ecosystem, but also releases a lot of pressure from volunteer maintainers who would otherwise sometimes carry unsustainable loads out of a sense of duty.
gorilla/csrf is an extremely popular Cross-Site Request Forgery protection middleware.
In December 2024, Patrick O'Doherty discovered that the library was unintentionally vulnerable to schemelessly same-site cross-origin request forgeries. This means https://admin.example.com
could be attacked by https://blog.example.com
or, even worse, http://foo.example.com
. Unless HTTP Strict-Transport-Security with includeSubDomains
is used, any network attacker can control the latter and mount the attack. This was fixed publicly in January, but a new release (v1.7.3) and an advisory (CVE-2025-24358) weren’t published until April.
Alerted by Patrick’s finding, we looked into the library, and found a further issue that again allowed network attackers to mount CSRF attacks if the application used the TrustedOrigins
option. We reported this to the project on April 18th, 2025; however, it hasn’t been acknowledged and the project appears unmaintained. (We are publicly disclosing it as the customary 90-day deadline has lapsed, and all the upgrade paths listed below are available as of yesterday, with the release of Go 1.25.)
We tried reaching out to past maintainers via email and Slack to offer to take over the project, but unfortunately never heard back. Therefore, we set out to find other solutions to fill this critical CSRF-shaped hole in the ecosystem.
net/http
standard library package. It is part of Go 1.25, released yesterday, and we recommend all gorilla/csrf users consider switching to it. We trust that a standard library solution will safely serve the ecosystem going forward.Again, all of this is enabled by and part of the Geomys retainer contracts. If you work at a company with a critical dependency on the Go ecosystem, consider reaching out at hi@geomys.org. Regardless, you might also want to follow me on Bluesky at @filippo.abyssdomain.expert or on Mastodon at @filippo@abyssdomain.expert.
Since we're talking about Geomys, here's a throwback to... last year? Was it just last year?? Anyway, we sponsored GopherCon US and set up a booth mostly to cover it with my collection of gophers and pins.
Geomys is funded by Smallstep, Ava Labs, Teleport, Tailscale, and Sentry. Here are a few words from some of them!
Teleport — For the past five years, attacks and compromises have been shifting from traditional malware and security breaches to identifying and compromising valid user accounts and credentials with social engineering, credential theft, or phishing. Teleport Identity is designed to eliminate weak access patterns through access monitoring, minimize attack surface with access requests, and purge unused permissions via mandatory access reviews.
Ava Labs — We at Ava Labs, maintainer of AvalancheGo (the most widely used client for interacting with the Avalanche Network), believe the sustainable maintenance and development of open source cryptographic protocols is critical to the broad adoption of blockchain technology. We are proud to support this necessary and impactful work through our ongoing sponsorship of Filippo and his team.
Cross-Site Request Forgery countermeasures can be greatly simplified using request metadata provided by modern browsers.
Announcing Geomys, a small firm of professional maintainers with a portfolio of critical Go projects.
Did you like this? There is no tracking, so reply to let me know!
Do you want me to write more? You can sign up to pay $7/issue (max. 2 per month). My brain's reward function is easily tricked.
You can also read this in a browser.
My snail mail address is 9450 SW Gemini Dr #52960, Beaverton, OR 97008 and I enjoy postcards 📮
Rather than unsubscribing, you can narrow your topics to only cryptography or only open source maintenance here.
This was issue #120 of Cryptography Dispatches. You can subscribe or unsubscribe.
Interested in receiving all emails from Cryptography Dispatches?
Sign up for a premium subscription.