Skip to content

chore(deps): update dependency koa to v2.16.2 [security] - autoclosed#3390

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-npm-koa-vulnerability
Closed

chore(deps): update dependency koa to v2.16.2 [security] - autoclosed#3390
renovate[bot] wants to merge 1 commit into
mainfrom
renovate-npm-koa-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 9, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
koa (source) 2.15.32.16.2 age confidence
koa (source) 2.16.02.16.2 age confidence

GitHub Vulnerability Alerts

CVE-2025-32379

Summary

In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.

Patches

This issue is patched in 2.16.1 and 3.0.0-alpha.5.

PoC

Coming soon...

Impact

  1. Redirect user to another phishing site
  2. Make request to another endpoint of the application based on user's cookie
  3. Steal user's cookie

CVE-2025-8129

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@&#8203;koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
}) 

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

image

image

Impact

https://learn.snyk.io/lesson/open-redirect/


Release Notes

koajs/koa (koa)

v2.16.2

Compare Source

What's Changed

Full Changelog: koajs/koa@v2.16.1...v2.16.2

v2.16.1

Compare Source

fix: don't render redirect values in anchor ref

v2.16.0

Compare Source

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at #​1593 and #​1547.

  • fix missing cleanup, if response socket is no longer writeable (issue 1547) (#​1593) 399cb6b

v2.15.4

Compare Source

Full Changelog: koajs/koa@2.15.3...2.15.4

Fix: avoid redos on host and protocol getter, see GHSA-593f-38f6-jp5m


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the dependencies Pull requests that update a dependency label Apr 9, 2025
@netlify

netlify Bot commented Apr 9, 2025

Copy link
Copy Markdown

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit 748a25a
🔍 Latest deploy log https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/697642a4271d0600081d10fc

@github-actions

github-actions Bot commented Apr 9, 2025

Copy link
Copy Markdown

🚀 Performance Test Results

Test Configuration:

  • VUs: 4
  • Duration: 1m0s

Test Metrics:

  • Requests/s: 41.00
  • Iterations/s: 13.67
  • Failed Requests: 0.00% (0 of 2468)
📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 891 kB 15 kB/s
     data_sent......................: 1.9 MB 32 kB/s
     http_req_blocked...............: avg=8.29µs   min=2.09µs   med=5.49µs   max=1.7ms    p(90)=6.61µs   p(95)=7.15µs  
     http_req_connecting............: avg=1.4µs    min=0s       med=0s       max=1.63ms   p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=96.93ms  min=8.01ms   med=79.58ms  max=655.63ms p(90)=164.61ms p(95)=186.75ms
       { expected_response:true }...: avg=96.93ms  min=8.01ms   med=79.58ms  max=655.63ms p(90)=164.61ms p(95)=186.75ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2468
     http_req_receiving.............: avg=92.39µs  min=25.31µs  med=79.05µs  max=4.46ms   p(90)=118.83µs p(95)=152.61µs
     http_req_sending...............: avg=38.53µs  min=8.25µs   med=29.34µs  max=2.15ms   p(90)=44.08µs  p(95)=61.21µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=96.8ms   min=7.83ms   med=79.43ms  max=655.54ms p(90)=164.24ms p(95)=186.63ms
     http_reqs......................: 2468   40.998936/s
     iteration_duration.............: avg=292.39ms min=179.91ms med=280.24ms max=1.19s    p(90)=347.12ms p(95)=379.13ms
     iterations.....................: 823    13.67185/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4 

@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 9032fa3 to 71640f1 Compare April 24, 2025 10:45
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 71640f1 to 5a790b4 Compare May 19, 2025 18:01
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 2 times, most recently from 6d53195 to c9e4cef Compare June 4, 2025 08:12
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 2 times, most recently from 30058d2 to 868e72f Compare June 12, 2025 17:03
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 868e72f to 20cf163 Compare June 22, 2025 15:06
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 20cf163 to e123166 Compare July 2, 2025 15:44
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from e123166 to 1e9b16c Compare July 16, 2025 11:48
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 1e9b16c to 087ad82 Compare July 28, 2025 20:51
@renovate renovate Bot changed the title fix(deps): update dependency koa to v2.16.1 [security] fix(deps): update dependency koa to v3 [security] Jul 28, 2025
@github-actions github-actions Bot added type: tests Testing related pkg: backend Changes in the backend package. pkg: auth Changes in the GNAP auth package. labels Jul 28, 2025
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 087ad82 to c26c97f Compare July 30, 2025 20:09
@renovate renovate Bot changed the title fix(deps): update dependency koa to v3 [security] fix(deps): update dependency koa to v2.16.2 [security] Jul 30, 2025
@github-actions github-actions Bot removed type: tests Testing related pkg: backend Changes in the backend package. pkg: auth Changes in the GNAP auth package. labels Jul 30, 2025
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from c26c97f to 73a56e6 Compare July 31, 2025 12:16
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 3 times, most recently from 9f6c1c5 to f65afb0 Compare August 13, 2025 16:51
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from f65afb0 to 989f440 Compare August 19, 2025 16:16
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 989f440 to 6a9600d Compare August 31, 2025 14:36
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 6a9600d to f2a2429 Compare September 25, 2025 14:51
@renovate renovate Bot changed the title fix(deps): update dependency koa to v2.16.2 [security] chore(deps): update dependency koa to v2.16.2 [security] Sep 25, 2025
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from f2a2429 to b4120f3 Compare September 25, 2025 15:57
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 3 times, most recently from 68ce034 to fe6ab7e Compare October 21, 2025 12:31
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 3 times, most recently from b3dbe1c to a89e74a Compare October 31, 2025 16:10
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from a89e74a to 578d0d3 Compare November 10, 2025 17:17
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 578d0d3 to cf9e08a Compare November 18, 2025 14:05
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 3 times, most recently from 868f7ca to 9146f21 Compare December 3, 2025 14:48
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 2 times, most recently from 10dba30 to 9986492 Compare December 31, 2025 19:40
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 2 times, most recently from 1773a29 to dd0bc1b Compare January 11, 2026 11:47
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch 3 times, most recently from 37cdafb to 192e5c9 Compare January 23, 2026 19:40
@renovate renovate Bot force-pushed the renovate-npm-koa-vulnerability branch from 192e5c9 to 748a25a Compare January 25, 2026 16:19
@renovate renovate Bot changed the title chore(deps): update dependency koa to v2.16.2 [security] chore(deps): update dependency koa to v2.16.2 [security] - autoclosed Jan 27, 2026
@renovate renovate Bot closed this Jan 27, 2026
@renovate renovate Bot deleted the renovate-npm-koa-vulnerability branch January 27, 2026 18:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants