Skip to content

chore(deps): update dependency koa to v2.16.2 [security] #2961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency koa to v2.16.2 [security] #2961

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 29, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
koa (source) 2.16.1 -> 2.16.2 age confidence

GitHub Vulnerability Alerts

CVE-2025-8129

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@​koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
})

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

image

image

Impact

https://learn.snyk.io/lesson/open-redirect/

Release Notes

koajs/koa (koa)

v2.16.2

Compare Source

What's Changed

Full Changelog: koajs/koa@v2.16.1...v2.16.2

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jul 29, 2025
@renovate renovate bot requested a review from a team as a code owner July 29, 2025 00:26
@github-actions github-actions bot added pkg:instrumentation-koa pkg-status:unmaintained This package is unmaintained. Only bugfixes may be acceped until a new owner has been found. labels Jul 29, 2025
@codecov Codecov
Copy link

codecov bot commented Jul 29, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.84%. Comparing base (c0593e6) to head (63ae170).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #2961   +/-   ##
=======================================
  Coverage   89.84%   89.84%           
=======================================
  Files         188      188           
  Lines        9272     9272           
  Branches     1901     1901           
=======================================
  Hits         8330     8330           
  Misses        942      942
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@tlindhardt
Copy link

tlindhardt commented Jul 29, 2025
edited
Loading

Its worth mentioning I have a pr open, though Im unsure how to get it merged, upgrading to 3.0.0. #2957 I would be happy to upgrade to 3.0.1.

@renovate renovate bot changed the title chore(deps): update dependency koa to v3 [security] chore(deps): update dependency koa to v2.16.2 [security] Jul 30, 2025
@renovate renovate bot force-pushed the renovate/npm-koa-vulnerability branch 2 times, most recently from e0d53ee to aa5bf6b Compare July 31, 2025 10:49
@renovate renovate bot force-pushed the renovate/npm-koa-vulnerability branch from aa5bf6b to 63ae170 Compare August 1, 2025 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@dyladan dyladan

@legendecas legendecas

@pichlermarc pichlermarc

@blumamir blumamir

Labels
dependencies Pull requests that update a dependency file pkg:instrumentation-koa pkg-status:unmaintained This package is unmaintained. Only bugfixes may be acceped until a new owner has been found.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tlindhardt @dyladan @legendecas @pichlermarc @blumamir