4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62595

GHSA ID

GHSA-g8mr-fgfg-5qpc

EPSS Score

CWE

CWE-601

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62595

CVE-2025-62595: Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic

Summary:

A bypass was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications.

This vulnerability affects the code referenced in GitHub Advisory GHSA-jgmv-j7ww-jx2x (which is tracked as CVE‑2025‑54420).

Details:

The patched code attempts to treat values that startWith('/') as safe relative paths and only perform origin checks for absolute URLs. However, protocol‑relative URLs (those beginning with //host) also start with '/' and therefore match the startsWith('/') branch. A protocol‑relative referrer such as //evil.com with trailing double-slash is treated by the implementation as a safe relative path, but browsers interpret Location: //evil.com as a redirect to https://evil.com (or http:// based on context). This discrepancy allows an attacker to supply Referer: //evil.com and trigger an external redirect - bypassing the intended same‑origin protection.

Proof of concept (PoC):

Affected line of code: https://github.com/koajs/koa/blob/master/lib/response.js#L326 The problematic logic looks like:

Request with a protocol‑relative Referer: curl -i -H "Referer: //haymiz.dev" http://127.0.0.1:3000/test

Vulnerable response will contain: HTTP/1.1 302 Found Location: //haymiz.dev

A browser receiving that Location header navigates to https://haymiz.dev (or http:// depending on context), resulting in an open redirect to an attacker‑controlled host:

Recommendation / Patch:

Do not treat //host as a safe relative path. Explicitly exclude protocol‑relative values from any relative‑path branch.
Normalize the Referer by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then compare resolved.origin (scheme+host+port) to ctx.origin (or ctx.host plus scheme/port) before allowing the redirect.

Impact:

An attacker who can cause a victim to visit a specially crafted link (or inject a request with a controlled Referer) can cause the victim to be redirected to an attacker‑controlled domain. This can be used for phishing, social engineering, or to bypass some protection rules that rely on same‑origin navigation.

(GitHub Advisory)

4.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62595

GHSA ID

GHSA-g8mr-fgfg-5qpc

EPSS Score

CWE

CWE-601

Published

10/21/2025

Updated

10/21/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
koa	npm	>= 3.0.1, < 3.0.3	3.0.3
koa	npm	>= 2.16.2, < 2.16.3	2.16.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability analysis began by examining the provided commit 769fd75cc6b30d72493b370b5a3ae2332ca03c5b, which was identified as the patch for the open redirect issue in Koa. The commit modified lib/response.js. The key change was the removal of a code block within the back function. This removed block checked if the Referrer header started with / and, if so, performed a redirect, assuming it was a safe relative path. The vulnerability description and the test case added in __tests__/response/back.test.js confirm that this logic was flawed because protocol-relative URLs (e.g., //evil.com) also start with / but are interpreted by browsers as external URLs. By removing this check, the patch ensures that all referrer URLs are properly parsed and their origin is validated against the application's host, thus closing the open redirect vulnerability. The vulnerable function is therefore back in lib/response.js, as it contained the logic that processed the malicious Referrer header and triggered the unsafe redirect.

Vulnerable functions

back

lib/response.js

The `back` function in `lib/response.js` was vulnerable to an open redirect. The code checked if the `Referrer` header started with a `/` to determine if it was a relative path. However, it did not account for protocol-relative URLs like `//evil.com`, which also start with `/`. An attacker could provide a crafted `Referrer` header like `//evil.com`, which the application would treat as a safe relative path and redirect the user to it. Browsers interpret a `Location` header of `//evil.com` as a redirect to `https://evil.com`, leading to the open redirect.

WAF Protection Rules

WAF Rule

### Summ*ry: * *yp*ss w*s *is*ov*r** in t** `Ko*.js` *r*m*work *****tin* its ***k r**ir**t *un*tion*lity. In **rt*in *ir*umst*n**s, *n *tt**k*r **n m*nipul*t* t** R***r*r *****r to *or** * us*r’s *rows*r to n*vi**t* to *n *xt*rn*l, pot*nti*lly m*li*

Reasoning

T** vuln*r**ility *n*lysis ****n *y *x*minin* t** provi*** *ommit `****************************************`, w*i** w*s i**nti*i** *s t** p*t** *or t** op*n r**ir**t issu* in Ko*. T** *ommit mo*i*i** `li*/r*spons*.js`. T** k*y ***n** w*s t** r*mov*l

4.7

Basic Information

Concerned about an active attack path?

CVE-2025-62595: Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic

Summary:

Details:

Proof of concept (PoC):

Recommendation / Patch:

Impact:

4.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI