Low severity3.5NVD Advisory· Published Jul 25, 2025· Updated Apr 29, 2026
CVE-2025-8129
CVE-2025-8129
Description
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
koanpm | >= 2.0.0, < 2.16.2 | 2.16.2 |
koanpm | >= 3.0.0-alpha.0, < 3.0.1 | 3.0.1 |
Affected products
8cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*+ 7 more
- cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*range: >=2.0.0,<2.16.2
- cpe:2.3:a:koajs:koa:3.0.0:-:*:*:*:node.js:*:*
- cpe:2.3:a:koajs:koa:3.0.0:alpha0:*:*:*:node.js:*:*
- cpe:2.3:a:koajs:koa:3.0.0:alpha1:*:*:*:node.js:*:*
- cpe:2.3:a:koajs:koa:3.0.0:alpha2:*:*:*:node.js:*:*
- cpe:2.3:a:koajs:koa:3.0.0:alpha3:*:*:*:node.js:*:*
- cpe:2.3:a:koajs:koa:3.0.0:alpha4:*:*:*:node.js:*:*
- cpe:2.3:a:koajs:koa:3.0.0:alpha5:*:*:*:node.js:*:*
Patches
12 files changed · +34 −2
lib/response.js+18 −2 modified@@ -320,8 +320,24 @@ module.exports = { */ back (alt) { - const url = this.ctx.get('Referrer') || alt || '/' - this.redirect(url) + const referrer = this.ctx.get('Referrer') + if (referrer) { + // referrer is a relative path + if (referrer.startsWith('/')) { + this.redirect(referrer) + return + } + + // referrer is an absolute URL, check if it's the same origin + const url = new URL(referrer, this.ctx.href) + if (url.host === this.ctx.host) { + this.redirect(referrer) + return + } + } + + // no referrer, use alt or '/' + this.redirect(alt || '/') }, /**
__tests__/response/back.test.js+16 −0 modified@@ -12,6 +12,22 @@ describe('ctx.back([alt])', () => { assert.equal(ctx.response.header.location, '/login') }) + it('should redirect to the same origin referrer', () => { + const ctx = context() + ctx.req.headers.host = 'example.com' + ctx.req.headers.referrer = 'https://example.com/login' + ctx.back() + assert.equal(ctx.response.header.location, 'https://example.com/login') + }) + + it('should redirect to root if the same origin referrer is not present', () => { + const ctx = context() + ctx.req.headers.host = 'example.com' + ctx.req.headers.referrer = 'https://other.com/login' + ctx.back() + assert.equal(ctx.response.header.location, '/') + }) + it('should redirect to Referer', () => { const ctx = context() ctx.req.headers.referer = '/login'
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/koajs/koa/issues/1892nvdExploitIssue TrackingPatchVendor AdvisoryWEB
- github.com/koajs/koa/issues/1892nvdExploitIssue TrackingPatchThird Party AdvisoryVendor AdvisoryWEB
- github.com/advisories/GHSA-jgmv-j7ww-jx2xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54420ghsaADVISORY
- vuldb.comnvdThird Party AdvisoryVDB EntryWEB
- vuldb.comnvdThird Party AdvisoryVDB EntryWEB
- github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0ghsaWEB
- github.com/koajs/koa/security/advisories/GHSA-jgmv-j7ww-jx2xghsaWEB
- vuldb.comnvdPermissions RequiredVDB EntryWEB
News mentions
0No linked articles in our index yet.