KoaJS Koa CVE-2025-8129
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1Blast Radius
ecosystem impact- 34 npm packages depend on koa (31 direct, 3 indirect)
Ecosystem-wide dependent count for version 2.0.0.
DescriptionCVE.org
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Open redirect vulnerability in KoaJS Koa up to version 3.0.0 allows authenticated remote attackers to manipulate the Referrer HTTP header via the back() function in lib/response.js, enabling redirect to arbitrary external URLs with user interaction. The vulnerability has publicly available exploit code and affects the HTTP Header Handler component; EPSS exploitation probability is very low at 0.08% despite public POC availability, suggesting this is primarily a client-side social engineering vector rather than a widely exploitable server-side flaw.
Technical ContextAI
KoaJS Koa is a lightweight Node.js web framework that provides request/response middleware abstractions. The vulnerability resides in the response.js module's back() function, which is intended to redirect users to their previous page via the HTTP Referer header (note: Koa implements the common misspelling 'Referrer'). CWE-601 (URL Redirection to Untrusted Site / Open Redirect) occurs when user-controlled input-in this case, a maliciously crafted Referrer header-is used to construct a redirect target without validation. The back() function directly uses the Referrer header value without sanitizing it against malicious or external URLs, allowing an attacker to inject arbitrary redirect destinations. This is a classic open redirect vulnerability pattern where the application is manipulated into directing users away from the legitimate domain.
RemediationAI
Upgrade KoaJS Koa to a patched version released after 3.0.0. The upstream fix is available at https://github.com/koajs/koa/issues/1892, where the Koa maintainers have addressed this vulnerability by implementing validation of the Referrer header in the back() function to reject redirect targets pointing to external domains. If immediate patching is not possible, implement a compensating control by disabling or wrapping the back() function to validate that redirect destinations are same-origin only (e.g., ensuring the target URL hostname matches the request hostname), or by replacing the use of back() with explicit, hardcoded redirect destinations that cannot be influenced by user-supplied headers. Note that disabling back() entirely may require refactoring client-side 'go back' functionality to use browser history APIs instead.
More from same product – last 7 days
Host header injection in Nezha Monitoring versions 1.0.0 through 2.2.0 allows unauthenticated remote attackers to redire
Open redirect in Roxy-WI versions 8.2.6.4 and prior allows unauthenticated remote attackers to silently redirect authent
Open redirect in the Aqara IAM/SSO Gateway (gw-builder.aqara.com) allows remote unauthenticated attackers to craft Aqara
Open redirection in Password Manager exposes users to phishing attacks by failing to validate the X-Forwarded-Host HTTP
Open redirection in the Password Manager authentication system enables network-accessible, unauthenticated attackers to
Share
External POC / Exploit Code
Leaving vuln.today