Moderate severityNVD Advisory· Published Apr 9, 2025· Updated Apr 9, 2025

XSS at ctx.redirect() function in Koajs

CVE-2025-32379

Description

Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
koanpm	< 2.16.1	2.16.1
koanpm	>= 3.0.0-alpha.1, < 3.0.0-alpha.5	3.0.0-alpha.5

Affected products

Koajs/Koav5
Range: >= 3.0.0-alpha.0, < 3.0.0-alpha.5

Patches

ff25eb4a7f23

fix: don't render redirect values in anchor ref

https://github.com/koajs/koajongleberryApr 6, 2025via ghsa

commit

2 files changed · +3 −3

lib/response.js+1 −1 modified

@@ -309,7 +309,7 @@ module.exports = {
     if (this.ctx.accepts('html')) {
       url = escape(url)
       this.type = 'text/html; charset=utf-8'
-      this.body = `Redirecting to <a href="${url}">${url}</a>.`
+      this.body = `Redirecting to ${url}.`
       return
     }

__tests__/response/redirect.test.js+2 −2 modified

@@ -80,7 +80,7 @@ describe('ctx.redirect(url)', () => {
       ctx.header.accept = 'text/html'
       ctx.redirect(url)
       assert.strictEqual(ctx.response.header['content-type'], 'text/html; charset=utf-8')
-      assert.strictEqual(ctx.body, `Redirecting to <a href="${url}">${url}</a>.`)
+      assert.strictEqual(ctx.body, `Redirecting to ${url}.`)
     })
 
     it('should escape the url', () => {
@@ -90,7 +90,7 @@ describe('ctx.redirect(url)', () => {
       ctx.redirect(url)
       url = escape(url)
       assert.strictEqual(ctx.response.header['content-type'], 'text/html; charset=utf-8')
-      assert.strictEqual(ctx.body, `Redirecting to <a href="${url}">${url}</a>.`)
+      assert.strictEqual(ctx.body, `Redirecting to ${url}.`)
     })
   })

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-x2rg-q646-7m2vghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-32379ghsaADVISORY
github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312ghsax_refsource_MISCWEB
github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2vghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000