← back
CVE-2025-8129

KoaJS Koa HTTP Header response.js back redirect

CVSS 5.1 MEDIUMEPSS 0.2%CWE-601
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
25 Jul 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
Affected products
KoaJS · Koa

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/koajs/koa/issues/1892https://github.com/koajs/koa/issues/1892#issue-3213028583https://vuldb.com/?ctiid.317514https://vuldb.com/?id.317514https://vuldb.com/?submit.619741