CVE-2025-8129
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-25
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-07-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8129
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
koajs koa From 2.0.0 (inc) to 2.16.2 (exc)
koajs koa 3.0.0
koajs koa 3.0.0
koajs koa 3.0.0
koajs koa 3.0.0
koajs koa 3.0.0
koajs koa 3.0.0
koajs koa 3.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8129 is an open redirect vulnerability in the KoaJS Koa framework up to version 3.0.0. It exists in the 'back' method of the HTTP Header Handler component (lib/response.js), which insecurely uses the user-controllable HTTP Referrer header as the redirect target. An attacker can manipulate this Referrer header to redirect users to arbitrary, potentially malicious URLs. This vulnerability allows remote attackers to exploit the redirect behavior by crafting requests with malicious Referrer values. [1, 3]


How can this vulnerability impact me? :

This vulnerability can be exploited to perform open redirect attacks, which may lead to phishing attacks by redirecting users to malicious websites. It can also impact the integrity of affected applications and potentially facilitate session hijacking or bypassing security controls. Exploitation requires user interaction but can be done remotely. There are no known mitigations, and replacing the affected component is suggested. [2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring HTTP responses from KoaJS servers for redirects that use the 'back' method relying on the Referrer header. You can test endpoints that use ctx.redirect('back') by sending HTTP requests with manipulated Referer headers and observing if the server redirects to the attacker-controlled URL. For example, using curl: curl -I -H "Referer: http://malicious.example.com" http://yourserver/test. If the response Location header points to the malicious URL, the server is vulnerable. [3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include avoiding the use of the vulnerable 'back' method that relies on the user-controllable Referrer header for redirects. If possible, replace or patch the affected KoaJS version to a version that does not use the Referrer header insecurely. Since no known mitigations or countermeasures have been identified, consider replacing the affected component with an alternative product or implementing custom redirect logic that validates or sanitizes the redirect target to prevent open redirects. [2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart