CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.

Golf may allow attacker to bypass CSRF protections due to weak PRNG