Skip to content

chore(deps): update dependency koa to v3.0.1 [security]#1018

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-koa-vulnerability
Open

chore(deps): update dependency koa to v3.0.1 [security]#1018
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-koa-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 28, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
koa (source) 3.0.03.0.1 age confidence

Koa Open Redirect via Referrer Header (User-Controlled)

CVE-2025-8129 / GHSA-jgmv-j7ww-jx2x

More information

Details

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@​koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
}) 

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

image

image

Impact

https://learn.snyk.io/lesson/open-redirect/

Severity

  • CVSS Score: 2.0 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

koajs/koa (koa)

v3.0.1

Compare Source

What's Changed

Full Changelog: koajs/koa@v3.0.0...v3.0.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot enabled auto-merge (squash) July 28, 2025 20:50
@vercel

vercel Bot commented Jul 28, 2025

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
graphql-ez Error Error Jun 15, 2026 12:03am

@changeset-bot

changeset-bot Bot commented Jul 28, 2025

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: ec8867b

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 6c26c0b to a34f909 Compare August 4, 2025 01:38
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from a34f909 to 0981434 Compare August 10, 2025 14:31
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 0981434 to 3cb0147 Compare August 13, 2025 13:44
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 3cb0147 to 023b78d Compare August 19, 2025 17:49
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 023b78d to 728051b Compare August 31, 2025 10:02
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 728051b to e57d800 Compare September 25, 2025 17:03
@renovate renovate Bot changed the title fix(deps): update dependency koa to v3.0.1 [security] chore(deps): update dependency koa to v3.0.1 [security] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from e57d800 to 347fa40 Compare October 21, 2025 17:05
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 347fa40 to be9f355 Compare November 10, 2025 21:40
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from be9f355 to bc853e2 Compare November 18, 2025 13:05
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from bc853e2 to 18f773c Compare December 3, 2025 18:52
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 18f773c to 3d73bcb Compare December 31, 2025 15:38
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 3d73bcb to 12fbf10 Compare January 8, 2026 16:53
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 12fbf10 to c6421cc Compare January 19, 2026 19:00
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from d716aae to 3d91f53 Compare February 12, 2026 17:14
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 3d91f53 to 5241291 Compare February 17, 2026 21:54
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 5241291 to 98362b9 Compare March 5, 2026 21:03
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 98362b9 to 240536e Compare March 13, 2026 19:02
@renovate renovate Bot changed the title chore(deps): update dependency koa to v3.0.1 [security] chore(deps): update dependency koa to v3.0.1 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
auto-merge was automatically disabled March 27, 2026 00:53

Pull request was closed

@renovate renovate Bot deleted the renovate/npm-koa-vulnerability branch March 27, 2026 00:53
@renovate renovate Bot changed the title chore(deps): update dependency koa to v3.0.1 [security] - autoclosed chore(deps): update dependency koa to v3.0.1 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch 2 times, most recently from 240536e to 4e49dd0 Compare March 30, 2026 20:56
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 4e49dd0 to eea5000 Compare April 1, 2026 20:58
@renovate renovate Bot enabled auto-merge (squash) April 1, 2026 20:58
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from eea5000 to 8e45ee7 Compare April 8, 2026 19:03
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 8e45ee7 to 00e045e Compare April 29, 2026 18:17
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 00e045e to 8bac7ae Compare May 12, 2026 12:33
@renovate renovate Bot force-pushed the renovate/npm-koa-vulnerability branch from 8bac7ae to ec8867b Compare June 15, 2026 00:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants