GHSA-G8MR-FGFG-5QPC
Vulnerability from github – Published: 2025-10-21 15:09 – Updated: 2025-10-21 15:09Summary:
A bypass was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications.
This vulnerability affects the code referenced in GitHub Advisory GHSA-jgmv-j7ww-jx2x (which is tracked as CVE‑2025‑54420).
Details:
The patched code attempts to treat values that startWith('/') as safe relative paths and only perform origin checks for absolute URLs. However, protocol‑relative URLs (those beginning with //host) also start with '/' and therefore match the startsWith('/') branch. A protocol‑relative referrer such as //evil.com with trailing double-slash is treated by the implementation as a safe relative path, but browsers interpret Location: //evil.com as a redirect to https://evil.com (or http:// based on context).
This discrepancy allows an attacker to supply Referer: //evil.com and trigger an external redirect - bypassing the intended same‑origin protection.
Proof of concept (PoC):
Affected line of code: https://github.com/koajs/koa/blob/master/lib/response.js#L326 The problematic logic looks like:
Request with a protocol‑relative Referer: curl -i -H "Referer: //haymiz.dev" http://127.0.0.1:3000/test
Vulnerable response will contain: HTTP/1.1 302 Found Location: //haymiz.dev
A browser receiving that Location header navigates to https://haymiz.dev (or http:// depending on context), resulting in an open redirect to an attacker‑controlled host:
Recommendation / Patch:
- Do not treat //host as a safe relative path. Explicitly exclude protocol‑relative values from any relative‑path branch.
- Normalize the Referer by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then compare resolved.origin (scheme+host+port) to ctx.origin (or ctx.host plus scheme/port) before allowing the redirect.
Impact:
An attacker who can cause a victim to visit a specially crafted link (or inject a request with a controlled Referer) can cause the victim to be redirected to an attacker‑controlled domain. This can be used for phishing, social engineering, or to bypass some protection rules that rely on same‑origin navigation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.1"
},
{
"fixed": "3.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "koa"
},
"ranges": [
{
"events": [
{
"introduced": "2.16.2"
},
{
"fixed": "2.16.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62595"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-21T15:09:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary:\n\nA bypass was discovered in the `Koa.js` framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user\u2019s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications.\n\nThis vulnerability affects the code referenced in GitHub Advisory GHSA-jgmv-j7ww-jx2x (which is tracked as CVE\u20112025\u201154420). \n\n### Details:\nThe patched code attempts to treat values that `startWith(\u0027/\u0027)` as safe relative paths and only perform origin checks for absolute URLs. However, protocol\u2011relative URLs (those beginning with //host) also start with \u0027/\u0027 and therefore match the startsWith(\u0027/\u0027) branch. A protocol\u2011relative referrer such as `//evil.com` with trailing double-slash is treated by the implementation as a safe relative path, but browsers interpret Location: //evil.com as a redirect to https://evil.com (or http:// based on context).\nThis discrepancy allows an attacker to supply Referer: //evil.com and trigger an external redirect - bypassing the intended same\u2011origin protection.\n\n### Proof of concept (PoC):\nAffected line of code: https://github.com/koajs/koa/blob/master/lib/response.js#L326\nThe problematic logic looks like:\n\n\u003cimg width=\"567\" height=\"509\" alt=\"3\" src=\"https://github.com/user-attachments/assets/33de440a-8945-4e5f-9e0a-2011a3999458\" /\u003e\n\nRequest with a protocol\u2011relative Referer:\ncurl -i -H \"Referer: //haymiz.dev\" http://127.0.0.1:3000/test\n\n\u003cimg width=\"2072\" height=\"1005\" alt=\"1\" src=\"https://github.com/user-attachments/assets/55c48c79-559d-46aa-8b76-c1d2d3536c8b\" /\u003e\n\nVulnerable response will contain:\nHTTP/1.1 302 Found\nLocation: //haymiz.dev\n\nA browser receiving that Location header navigates to https://haymiz.dev (or http:// depending on context), resulting in an open redirect to an attacker\u2011controlled host:\n\n\u003cimg width=\"454\" height=\"239\" alt=\"2\" src=\"https://github.com/user-attachments/assets/852ae81a-9f63-49c1-9ce5-72cd96bcea68\" /\u003e\n\n### Recommendation / Patch:\n* Do not treat //host as a safe relative path. Explicitly exclude protocol\u2011relative values from any relative\u2011path branch.\n* Normalize the Referer by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then compare resolved.origin (scheme+host+port) to ctx.origin (or ctx.host plus scheme/port) before allowing the redirect.\n\n### Impact:\nAn attacker who can cause a victim to visit a specially crafted link (or inject a request with a controlled Referer) can cause the victim to be redirected to an attacker\u2011controlled domain. This can be used for phishing, social engineering, or to bypass some protection rules that rely on same\u2011origin navigation.",
"id": "GHSA-g8mr-fgfg-5qpc",
"modified": "2025-10-21T15:09:06Z",
"published": "2025-10-21T15:09:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc"
},
{
"type": "WEB",
"url": "https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b"
},
{
"type": "PACKAGE",
"url": "https://github.com/koajs/koa"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.