Description

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.

INFO

Published Date :

2025-10-21T16:20:43.809Z

Last Modified :

2025-10-21T16:35:48.461Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-62595 vulnerability.

Vendors Products
Koajs
  • Koa
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-62595.

URL Resource
https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b cve-icon cve-icon cve-icon
https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc cve-icon cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-62595 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-62595 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact