Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
Description
Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
koanpm | >= 3.0.1, < 3.0.3 | 3.0.3 |
koanpm | >= 2.16.2, < 2.16.3 | 2.16.3 |
Affected products
2Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-g8mr-fgfg-5qpcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-62595ghsaADVISORY
- github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5bghsax_refsource_MISCWEB
- github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.