CVE-2025-62595

MEDIUM

Koa < 3.0.3 - Open Redirect

Title source: rule

Description

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.

References (2)

[Exploit, Vendor Advisory] https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc

[Patch] https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0002

EPSS Percentile 4.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (3)

koajs/koa 2.16.2

koajs/koa 3.0.1 - 3.0.3

npm/koa 3.0.1 - 3.0.3npm

Published Oct 21, 2025

Tracked Since Feb 18, 2026