3.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-8129

GHSA ID

GHSA-mvw6-62qv-vmqf

EPSS Score

0.0571%

CWE

CWE-601

Published

7/25/2025

Updated

7/28/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-8129

CVE-2025-8129: Koa Open Redirect Vulnerability

A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

(GitHub Advisory)

3.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-8129

GHSA ID

GHSA-mvw6-62qv-vmqf

EPSS Score

0.0571%

CWE

CWE-601

Published

7/25/2025

Updated

7/28/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
koa	npm	< 3.0.1	3.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is an open redirect within the back function of the Koa response object, located in lib/response.js. The initial code blindly trusted the Referrer HTTP header, using its value for redirection without any safety checks. This allows an attacker to craft a request where the Referrer header points to a malicious external domain. When the application calls ctx.response.back(), the user is redirected to the attacker's site. The provided patch addresses this by introducing validation. It checks if the Referrer is a relative path (starts with '/') or, if it's an absolute URL, it verifies that the hostname matches the application's own hostname. If the Referrer is from a different origin, the redirection is aborted, and a safe fallback ('/') is used instead. The vulnerable function is clearly response.back as it is the one processing the untrusted Referrer header and performing the redirection.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in Ko*JS Ko* up to *.*.*. *****t** is t** *un*tion ***k in t** li*r*ry li*/r*spons*.js o* t** *ompon*nt *TTP *****r **n*l*r. T** m*nipul*tion o* t** *r*um*nt R***rr*r l***s to op*n r**ir

Reasoning

T** vuln*r**ility is *n op*n r**ir**t wit*in t** `***k` *un*tion o* t** Ko* r*spons* o*j**t, lo**t** in `li*/r*spons*.js`. T** initi*l *o** *lin*ly trust** t** `R***rr*r` *TTP *****r, usin* its v*lu* *or r**ir**tion wit*out *ny s***ty ****ks. T*is *l

3.5

Basic Information

Concerned about an active attack path?

CVE-2025-8129: Koa Open Redirect Vulnerability

3.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI