CVE-2025-62595

Name of the Vulnerable Software and Affected Versions Koa versions 2.16.2 through 2.16.3 Koa versions 3.0.1 through 3.0.3

Description The Koa framework contains a flaw in its back redirect functionality. An attacker can manipulate the Referer header to redirect a user’s browser to a malicious website. This occurs because the implementation incorrectly identifies certain URLs as safe relative paths. Exploiting this issue could allow attackers to perform phishing or social engineering attacks. The issue stems from the incorrect handling of protocol-relative URLs (those beginning with '//host'), which are treated as safe relative paths despite browsers interpreting them as absolute redirects. A request with a protocol-relative Referer header, such as Referer: //evil.com, can trigger an external redirect, bypassing intended same-origin protection. The vulnerable code attempts to treat values that startWith('/') as safe relative paths, but protocol-relative URLs also begin with '/', leading to the bypass.

Recommendations Koa versions 2.16.2 through 2.16.3: Do not treat '//host' as a safe relative path. Koa versions 3.0.1 through 3.0.3: Do not treat '//host' as a safe relative path. Explicitly exclude protocol-relative values from any relative-path branch. Normalize the Referer by resolving it with a base, then compare resolved.origin to ctx.origin before allowing the redirect.