CVE-2025-8129

Description

## Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target. ## Details on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see: **response.redirect(url, [alt])** ``` Performs a [302] redirect to url. The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist. ctx.redirect('back'); ctx.redirect('back', '/index.html'); ctx.redirect('/login'); ctx.redirect('http://google.com'); ``` however, the "back" method is insecure: - https://github.com/koajs/koa/blob/master/lib/response.js#L322 ``` back (alt) { const url = this.ctx.get('Referrer') || alt || '/' this.redirect(url) }, ``` Referrer Header is User-Controlled. ## PoC **there is a demo for POC:** ``` const Koa = require('koa') const serve = require('koa-static') const Router = require('@koa/router') const path = require('path') const app = new Koa() const router = new Router() // Serve static files from the public directory app.use(serve(path.join(__dirname, 'public'))) // Define routes router.get('/test', ctx => { ctx.redirect('back', '/index1.html') }) router.get('/test2', ctx => { ctx.redirect('back') }) router.get('/', ctx => { ctx.body = 'Welcome to the home page! Try accessing /test, /test2' }) app.use(router.routes()) app.use(router.allowedMethods()) const port = 3000 app.listen(port, () => { console.log(`Server running at http://localhost:${port}`) }) ``` **Proof Of Concept** ``` GET /test HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close GET /test2 HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close ``` ![image](https://github.com/user-attachments/assets/03d1e61b-df97-4b42-a0c4-437bd17144db) ![image](https://github.com/user-attachments/assets/f4e076e0-3853-4b7a-b4c0-bddf5b67631a) ## Impact https://learn.snyk.io/lesson/open-redirect/

How to fix CVE-2025-8129

To remediate CVE-2025-8129, upgrade the affected package to a fixed version below.

—upgrade to 2.16.2 or later

Is CVE-2025-8129 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	LOW3.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Description

How to fix CVE-2025-8129

Is CVE-2025-8129 being exploited?

Affected packages (1)

CVSS scores

References (9)