Skip to content

chore(deps): update dependency koa to v3.0.1 [security] #195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: v1
Choose a base branch
from
Open

chore(deps): update dependency koa to v3.0.1 [security] #195

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 10, 2025

This PR contains the following updates:

Package Change Age Confidence
koa (source) 3.0.0 -> 3.0.1 age confidence

GitHub Vulnerability Alerts

CVE-2025-8129

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@​koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
})

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

image

image

Impact

https://learn.snyk.io/lesson/open-redirect/

Release Notes

koajs/koa (koa)

v3.0.1

Compare Source

What's Changed

Full Changelog: koajs/koa@v3.0.0...v3.0.1

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Dependencies (auto) update label Oct 10, 2025
@changeset-bot
Copy link

changeset-bot bot commented Oct 10, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: e369cb5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@pkg-pr-new
Copy link

pkg-pr-new bot commented Oct 10, 2025
edited
Loading

Open in StackBlitz

unioc

npm i https://pkg.pr.new/iocjs/unioc@195

@unioc/adapter-midway

npm i https://pkg.pr.new/iocjs/unioc/@unioc/adapter-midway@195

@unioc/adapter-nestjs

npm i https://pkg.pr.new/iocjs/unioc/@unioc/adapter-nestjs@195

@unioc/core

npm i https://pkg.pr.new/iocjs/unioc/@unioc/core@195

@unioc/decorator

npm i https://pkg.pr.new/iocjs/unioc/@unioc/decorator@195

@unioc/meta

npm i https://pkg.pr.new/iocjs/unioc/@unioc/meta@195

@unioc/reflector

npm i https://pkg.pr.new/iocjs/unioc/@unioc/reflector@195

@unioc/shared

npm i https://pkg.pr.new/iocjs/unioc/@unioc/shared@195

@unioc/web

npm i https://pkg.pr.new/iocjs/unioc/@unioc/web@195

@unioc/web-bun

npm i https://pkg.pr.new/iocjs/unioc/@unioc/web-bun@195

@unioc/web-express

npm i https://pkg.pr.new/iocjs/unioc/@unioc/web-express@195

@unioc/web-koa

npm i https://pkg.pr.new/iocjs/unioc/@unioc/web-koa@195

@unioc/commander

npm i https://pkg.pr.new/iocjs/unioc/@unioc/commander@195

create-unioc

npm i https://pkg.pr.new/iocjs/unioc/create-unioc@195

commit: e369cb5

@renovate renovate bot force-pushed the renovate/npm-koa-vulnerability branch from 011cd6d to e369cb5 Compare October 21, 2025 16:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Groupguanfang Groupguanfang Awaiting requested review from Groupguanfang

Assignees

@Groupguanfang Groupguanfang

Labels

dependencies Dependencies (auto) update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Groupguanfang