CVE-2021-23384

Name of the Vulnerable Software and Affected Versions koa-remove-trailing-slashes versions prior to 2.0.2

Description The issue allows for Open Redirect via the use of trailing double slashes in the URL when accessing a vulnerable endpoint, such as https://example.com//attacker.example/. The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs.

Recommendations For versions prior to 2.0.2, update to version 2.0.2 or later to resolve the issue. As a temporary workaround, consider modifying the index.js::removeTrailingSlashes() function to handle trailing double slashes correctly, or restrict access to vulnerable endpoints to minimize the risk of exploitation.