CVE-2025-62595
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-21

Last updated on: 2025-10-21

Assigner: GitHub, Inc.

Description
Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-21
Last Modified
2025-10-21
Generated
2026-06-16
AI Q&A
2025-10-21
EPSS Evaluated
2026-06-15
NVD
CVE-2025-62595
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
koajs koa 2.16.2
koajs koa 3.0.3
koajs koa 3.0.1
koajs koa 2.16.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in the Koa.js framework allows an attacker to manipulate the Referer header to force a user's browser to navigate to an external, potentially malicious website. It happens because the framework incorrectly treats some specially crafted URLs as safe relative paths, enabling a bypass of a previous vulnerability (CVE-2025-8129) related to back redirect functionality.

Impact Analysis

Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications, potentially leading to compromised user trust or exposure to malicious sites.

Mitigation Strategies

Upgrade the Koa.js framework to version 3.0.3 or later, as this version contains the patch that fixes the vulnerability. Avoid using affected versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3 to prevent exploitation of the back redirect bypass.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart