In GoCD, versions 19.6.0 to 21.1.0 are vulnerable to Cross-Site Request Forgery due to missing CSRF protection at the /go/api/config/backup endpoint. An attacker can trick a victim to click on a malicious link which could change backup configurations or execute system commands in the postbackupscript field.
[
{
"id": "CVE-2021-25924-24fdfdbd",
"target": {
"function": "setupRoutes",
"file": "api/api-backup-config-v1/src/main/java/com/thoughtworks/go/apiv1/backupconfig/BackupConfigControllerV1.java"
},
"signature_version": "v1",
"source": "https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548",
"signature_type": "Function",
"digest": {
"function_hash": "321407077403969273082490796812356271858",
"length": 413.0
},
"deprecated": false
},
{
"id": "CVE-2021-25924-76b9a835",
"target": {
"file": "api/api-backup-config-v1/src/main/java/com/thoughtworks/go/apiv1/backupconfig/BackupConfigControllerV1.java"
},
"signature_version": "v1",
"source": "https://github.com/gocd/gocd/commit/7d0baab0d361c377af84994f95ba76c280048548",
"signature_type": "Line",
"digest": {
"line_hashes": [
"290456271028648574292916738462855074058",
"128884651754586473902382283956016558467",
"117628666451766356497316226923840181200"
],
"threshold": 0.9
},
"deprecated": false
}
]
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-25924.json"
"2026-04-11T13:54:01Z"