CVE-2025-8129 (GCVE-0-2025-8129)
Vulnerability from cvelistv5 – Published: 2025-07-25 04:02 – Updated: 2025-07-25 12:01
VLAI?
Summary
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity ?
CWE
- CWE-601 - Open Redirect
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Credits
ZAST.AI (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8129",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-25T12:01:50.242124Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T12:01:53.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/koajs/koa/issues/1892"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"HTTP Header Handler"
],
"product": "Koa",
"vendor": "KoaJS",
"versions": [
{
"status": "affected",
"version": "3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ZAST.AI (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "de",
"value": "Es wurde eine Schwachstelle in KoaJS Koa bis 3.0.0 gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion back in der Bibliothek lib/response.js der Komponente HTTP Header Handler. Durch Beeinflussen des Arguments Referrer mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \u00fcber das Netzwerk. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "Open Redirect",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-25T04:02:05.418Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-317514 | KoaJS Koa HTTP Header response.js back redirect",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.317514"
},
{
"name": "VDB-317514 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.317514"
},
{
"name": "Submit #619741 | KoaJS Koa \u003c=3.0.0 commit cb22d8dc Open Redirect",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/?submit.619741"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/koajs/koa/issues/1892"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/koajs/koa/issues/1892#issue-3213028583"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-24T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2025-07-24T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2025-07-24T17:29:21.000Z",
"value": "VulDB entry last update"
}
],
"title": "KoaJS Koa HTTP Header response.js back redirect"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2025-8129",
"datePublished": "2025-07-25T04:02:05.418Z",
"dateReserved": "2025-07-24T15:24:16.752Z",
"dateUpdated": "2025-07-25T12:01:53.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2025-8129\",\"sourceIdentifier\":\"cna@vuldb.com\",\"published\":\"2025-07-25T05:15:36.980\",\"lastModified\":\"2025-09-17T14:38:37.743\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad clasificada como problem\u00e1tica en KoaJS (hasta la versi\u00f3n 3.0.0). La funci\u00f3n afectada se encuentra en la librer\u00eda lib/response.js del componente HTTP Header Handler. La manipulaci\u00f3n del argumento Referrer provoca una redirecci\u00f3n abierta. El ataque puede ejecutarse en remoto. Se ha hecho p\u00fablico el exploit y puede que sea utilizado.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":5.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"PROOF_OF_CONCEPT\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":3.5,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:N/I:P/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cna@vuldb.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.16.2\",\"matchCriteriaId\":\"A9F36937-D73F-442F-97E3-E57E6B4DD579\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:koajs:koa:3.0.0:-:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"829BF63A-A53D-4B0B-9E79-9654AE97D713\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:koajs:koa:3.0.0:alpha0:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"C939FF76-3FDC-4439-8794-4DFC390B6AE5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:koajs:koa:3.0.0:alpha1:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"6C0F27D9-2CCD-4CA4-BB80-3650CA1CC7D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:koajs:koa:3.0.0:alpha2:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"AC7C1D95-EC40-445D-A46D-5B52C771E9EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:koajs:koa:3.0.0:alpha3:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"1CB59D3F-CD0C-46FB-92E6-A57B5309690E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:koajs:koa:3.0.0:alpha4:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"7A156C47-5619-4AF3-B7F2-9BE83A5F8F15\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:koajs:koa:3.0.0:alpha5:*:*:*:node.js:*:*\",\"matchCriteriaId\":\"0E020A81-C019-45A9-BA3D-0F3C83D1288A\"}]}]}],\"references\":[{\"url\":\"https://github.com/koajs/koa/issues/1892\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/koajs/koa/issues/1892#issue-3213028583\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Third Party Advisory\",\"Vendor Advisory\"]},{\"url\":\"https://vuldb.com/?ctiid.317514\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Permissions Required\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?id.317514\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://vuldb.com/?submit.619741\",\"source\":\"cna@vuldb.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/koajs/koa/issues/1892\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-8129\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-07-25T12:01:50.242124Z\"}}}], \"references\": [{\"url\": \"https://github.com/koajs/koa/issues/1892\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-07-25T12:01:33.460Z\"}}], \"cna\": {\"title\": \"KoaJS Koa HTTP Header response.js back redirect\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"ZAST.AI (VulDB User)\"}], \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 5.1, \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P\"}}, {\"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R\"}}, {\"cvssV3_0\": {\"version\": \"3.0\", \"baseScore\": 3.5, \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R\"}}, {\"cvssV2_0\": {\"version\": \"2.0\", \"baseScore\": 4, \"vectorString\": \"AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR\"}}], \"affected\": [{\"vendor\": \"KoaJS\", \"modules\": [\"HTTP Header Handler\"], \"product\": \"Koa\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0\"}]}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2025-07-24T00:00:00.000Z\", \"value\": \"Advisory disclosed\"}, {\"lang\": \"en\", \"time\": \"2025-07-24T02:00:00.000Z\", \"value\": \"VulDB entry created\"}, {\"lang\": \"en\", \"time\": \"2025-07-24T17:29:21.000Z\", \"value\": \"VulDB entry last update\"}], \"references\": [{\"url\": \"https://vuldb.com/?id.317514\", \"name\": \"VDB-317514 | KoaJS Koa HTTP Header response.js back redirect\", \"tags\": [\"vdb-entry\", \"technical-description\"]}, {\"url\": \"https://vuldb.com/?ctiid.317514\", \"name\": \"VDB-317514 | CTI Indicators (IOB, IOC, TTP, IOA)\", \"tags\": [\"signature\", \"permissions-required\"]}, {\"url\": \"https://vuldb.com/?submit.619741\", \"name\": \"Submit #619741 | KoaJS Koa \u003c=3.0.0 commit cb22d8dc Open Redirect\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/koajs/koa/issues/1892\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/koajs/koa/issues/1892#issue-3213028583\", \"tags\": [\"exploit\", \"issue-tracking\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.\"}, {\"lang\": \"de\", \"value\": \"Es wurde eine Schwachstelle in KoaJS Koa bis 3.0.0 gefunden. Sie wurde als problematisch eingestuft. Betroffen hiervon ist die Funktion back in der Bibliothek lib/response.js der Komponente HTTP Header Handler. Durch Beeinflussen des Arguments Referrer mit unbekannten Daten kann eine open redirect-Schwachstelle ausgenutzt werden. Umgesetzt werden kann der Angriff \\u00fcber das Netzwerk. Der Exploit steht zur \\u00f6ffentlichen Verf\\u00fcgung.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"Open Redirect\"}]}], \"providerMetadata\": {\"orgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"shortName\": \"VulDB\", \"dateUpdated\": \"2025-07-25T04:02:05.418Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-8129\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-07-25T12:01:53.033Z\", \"dateReserved\": \"2025-07-24T15:24:16.752Z\", \"assignerOrgId\": \"1af790b2-7ee1-4545-860a-a788eba489b5\", \"datePublished\": \"2025-07-25T04:02:05.418Z\", \"assignerShortName\": \"VulDB\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
GHSA-JGMV-J7WW-JX2X
Vulnerability from github – Published: 2025-07-29 19:11 – Updated: 2025-07-30 14:14
VLAI?
Summary
Koa Open Redirect via Referrer Header (User-Controlled)
Details
Summary
In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.
Details
on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:
response.redirect(url, [alt])
Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.
ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');
however, the "back" method is insecure:
- https://github.com/koajs/koa/blob/master/lib/response.js#L322
back (alt) {
const url = this.ctx.get('Referrer') || alt || '/'
this.redirect(url)
},
Referrer Header is User-Controlled.
PoC
there is a demo for POC:
const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@koa/router')
const path = require('path')
const app = new Koa()
const router = new Router()
// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))
// Define routes
router.get('/test', ctx => {
ctx.redirect('back', '/index1.html')
})
router.get('/test2', ctx => {
ctx.redirect('back')
})
router.get('/', ctx => {
ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})
app.use(router.routes())
app.use(router.allowedMethods())
const port = 3000
app.listen(port, () => {
console.log(`Server running at http://localhost:${port}`)
})
Proof Of Concept
GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close
GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close
Impact
https://learn.snyk.io/lesson/open-redirect/
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.16.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-alpha.0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-8129"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-29T19:11:25Z",
"nvd_published_at": "2025-07-29T17:15:33Z",
"severity": "LOW"
},
"details": "## Summary\nIn the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.\n\n## Details\non the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:\n\n**response.redirect(url, [alt])**\n```\nPerforms a [302] redirect to url.\nThe string \"back\" is specially provided for Referrer support, using alt or \"/\" when Referrer does not exist.\n\nctx.redirect(\u0027back\u0027);\nctx.redirect(\u0027back\u0027, \u0027/index.html\u0027);\nctx.redirect(\u0027/login\u0027);\nctx.redirect(\u0027http://google.com\u0027);\n\n```\nhowever, the \"back\" method is insecure:\n\n- https://github.com/koajs/koa/blob/master/lib/response.js#L322\n```\n back (alt) {\n const url = this.ctx.get(\u0027Referrer\u0027) || alt || \u0027/\u0027\n this.redirect(url)\n },\n```\nReferrer Header is User-Controlled.\n\n\n## PoC\n\n**there is a demo for POC:**\n```\nconst Koa = require(\u0027koa\u0027)\nconst serve = require(\u0027koa-static\u0027)\nconst Router = require(\u0027@koa/router\u0027)\nconst path = require(\u0027path\u0027)\n\nconst app = new Koa()\nconst router = new Router()\n\n// Serve static files from the public directory\napp.use(serve(path.join(__dirname, \u0027public\u0027)))\n\n// Define routes\nrouter.get(\u0027/test\u0027, ctx =\u003e {\n ctx.redirect(\u0027back\u0027, \u0027/index1.html\u0027)\n})\n\nrouter.get(\u0027/test2\u0027, ctx =\u003e {\n ctx.redirect(\u0027back\u0027)\n})\n\nrouter.get(\u0027/\u0027, ctx =\u003e {\n ctx.body = \u0027Welcome to the home page! Try accessing /test, /test2\u0027\n})\n\napp.use(router.routes())\napp.use(router.allowedMethods())\n\nconst port = 3000\napp.listen(port, () =\u003e {\n console.log(`Server running at http://localhost:${port}`)\n}) \n```\n**Proof Of Concept**\n```\nGET /test HTTP/1.1\nHost: 127.0.0.1:3000\nReferer: http://www.baidu.com\nConnection: close\n\n\nGET /test2 HTTP/1.1\nHost: 127.0.0.1:3000\nReferer: http://www.baidu.com\nConnection: close\n```\n\n\n\n\n\n## Impact\nhttps://learn.snyk.io/lesson/open-redirect/",
"id": "GHSA-jgmv-j7ww-jx2x",
"modified": "2025-07-30T14:14:46Z",
"published": "2025-07-29T19:11:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/koajs/koa/security/advisories/GHSA-jgmv-j7ww-jx2x"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54420"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/issues/1892"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/issues/1892#issue-3213028583"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/koajs/koa"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.317514"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.317514"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.619741"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Koa Open Redirect via Referrer Header (User-Controlled)"
}
GHSA-MVW6-62QV-VMQF
Vulnerability from github – Published: 2025-07-25 06:30 – Updated: 2025-07-29 19:06
VLAI?
Summary
Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled)
Details
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references.
Original Description
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-28T19:42:34Z",
"nvd_published_at": "2025-07-25T05:15:36Z",
"severity": "LOW"
},
"details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references.\n\n### Original Description\nA vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-mvw6-62qv-vmqf",
"modified": "2025-07-29T19:06:04Z",
"published": "2025-07-25T06:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8129"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/issues/1892"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/issues/1892#issue-3213028583"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0"
},
{
"type": "PACKAGE",
"url": "https://github.com/koajs/koa"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.317514"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.317514"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.619741"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled)",
"withdrawn": "2025-07-29T19:06:04Z"
}
FKIE_CVE-2025-8129
Vulnerability from fkie_nvd - Published: 2025-07-25 05:15 - Updated: 2025-09-17 14:38
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
References
| URL | Tags | ||
|---|---|---|---|
| cna@vuldb.com | https://github.com/koajs/koa/issues/1892 | Exploit, Issue Tracking, Patch, Vendor Advisory | |
| cna@vuldb.com | https://github.com/koajs/koa/issues/1892#issue-3213028583 | Exploit, Issue Tracking, Patch, Third Party Advisory, Vendor Advisory | |
| cna@vuldb.com | https://vuldb.com/?ctiid.317514 | Permissions Required, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?id.317514 | Third Party Advisory, VDB Entry | |
| cna@vuldb.com | https://vuldb.com/?submit.619741 | Third Party Advisory, VDB Entry | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/koajs/koa/issues/1892 | Exploit, Issue Tracking, Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "A9F36937-D73F-442F-97E3-E57E6B4DD579",
"versionEndExcluding": "2.16.2",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koajs:koa:3.0.0:-:*:*:*:node.js:*:*",
"matchCriteriaId": "829BF63A-A53D-4B0B-9E79-9654AE97D713",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha0:*:*:*:node.js:*:*",
"matchCriteriaId": "C939FF76-3FDC-4439-8794-4DFC390B6AE5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha1:*:*:*:node.js:*:*",
"matchCriteriaId": "6C0F27D9-2CCD-4CA4-BB80-3650CA1CC7D7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha2:*:*:*:node.js:*:*",
"matchCriteriaId": "AC7C1D95-EC40-445D-A46D-5B52C771E9EE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha3:*:*:*:node.js:*:*",
"matchCriteriaId": "1CB59D3F-CD0C-46FB-92E6-A57B5309690E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha4:*:*:*:node.js:*:*",
"matchCriteriaId": "7A156C47-5619-4AF3-B7F2-9BE83A5F8F15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha5:*:*:*:node.js:*:*",
"matchCriteriaId": "0E020A81-C019-45A9-BA3D-0F3C83D1288A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad clasificada como problem\u00e1tica en KoaJS (hasta la versi\u00f3n 3.0.0). La funci\u00f3n afectada se encuentra en la librer\u00eda lib/response.js del componente HTTP Header Handler. La manipulaci\u00f3n del argumento Referrer provoca una redirecci\u00f3n abierta. El ataque puede ejecutarse en remoto. Se ha hecho p\u00fablico el exploit y puede que sea utilizado."
}
],
"id": "CVE-2025-8129",
"lastModified": "2025-09-17T14:38:37.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "cna@vuldb.com",
"type": "Secondary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cna@vuldb.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
},
"published": "2025-07-25T05:15:36.980",
"references": [
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/koajs/koa/issues/1892"
},
{
"source": "cna@vuldb.com",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Third Party Advisory",
"Vendor Advisory"
],
"url": "https://github.com/koajs/koa/issues/1892#issue-3213028583"
},
{
"source": "cna@vuldb.com",
"tags": [
"Permissions Required",
"VDB Entry"
],
"url": "https://vuldb.com/?ctiid.317514"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?id.317514"
},
{
"source": "cna@vuldb.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://vuldb.com/?submit.619741"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Issue Tracking",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/koajs/koa/issues/1892"
}
],
"sourceIdentifier": "cna@vuldb.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "cna@vuldb.com",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…