chore(deps): update dependency koa to v3.0.1 [security]#1018
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency koa to v3.0.1 [security]#1018renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
6c26c0b to
a34f909
Compare
a34f909 to
0981434
Compare
0981434 to
3cb0147
Compare
3cb0147 to
023b78d
Compare
023b78d to
728051b
Compare
728051b to
e57d800
Compare
e57d800 to
347fa40
Compare
347fa40 to
be9f355
Compare
be9f355 to
bc853e2
Compare
bc853e2 to
18f773c
Compare
18f773c to
3d73bcb
Compare
3d73bcb to
12fbf10
Compare
12fbf10 to
c6421cc
Compare
d716aae to
3d91f53
Compare
3d91f53 to
5241291
Compare
5241291 to
98362b9
Compare
98362b9 to
240536e
Compare
auto-merge was automatically disabled
March 27, 2026 00:53
Pull request was closed
240536e to
4e49dd0
Compare
4e49dd0 to
eea5000
Compare
eea5000 to
8e45ee7
Compare
8e45ee7 to
00e045e
Compare
00e045e to
8bac7ae
Compare
8bac7ae to
ec8867b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.0.0→3.0.1Koa Open Redirect via Referrer Header (User-Controlled)
CVE-2025-8129 / GHSA-jgmv-j7ww-jx2x
More information
Details
Summary
In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.
Details
on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:
response.redirect(url, [alt])
however, the "back" method is insecure:
Referrer Header is User-Controlled.
PoC
there is a demo for POC:
Proof Of Concept
Impact
https://learn.snyk.io/lesson/open-redirect/
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:PReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
koajs/koa (koa)
v3.0.1Compare Source
What's Changed
422c551Full Changelog: koajs/koa@v3.0.0...v3.0.1
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.