CVE-2025-62595
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-62595, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-21

Last updated on: 2025-10-21

Assigner: GitHub, Inc.

Description

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-21
Last Modified
2025-10-21
Generated
2026-07-06
AI Q&A
2025-10-21
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
koajs koa 2.16.2
koajs koa 3.0.3
koajs koa 3.0.1
koajs koa 2.16.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the Koa.js framework allows an attacker to manipulate the Referer header to force a user's browser to navigate to an external, potentially malicious website. It happens because the framework incorrectly treats some specially crafted URLs as safe relative paths, enabling a bypass of a previous vulnerability (CVE-2025-8129) related to back redirect functionality.

Impact Analysis

Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications, potentially leading to compromised user trust or exposure to malicious sites.

Mitigation Strategies

Upgrade the Koa.js framework to version 3.0.3 or later, as this version contains the patch that fixes the vulnerability. Avoid using affected versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3 to prevent exploitation of the back redirect bypass.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62595. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart