CVE-2025-8129

A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS v3 3.5 LOW
CVSS v2.0 4.0 MEDIUM

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/koajs/koa/issues/1892	Exploit Issue Tracking Patch Vendor Advisory
https://github.com/koajs/koa/issues/1892#issue-3213028583	Exploit Issue Tracking Patch Third Party Advisory Vendor Advisory
https://vuldb.com/?ctiid.317514	Permissions Required VDB Entry
https://vuldb.com/?id.317514	Third Party Advisory VDB Entry
https://vuldb.com/?submit.619741	Third Party Advisory VDB Entry
https://github.com/koajs/koa/issues/1892	Exploit Issue Tracking Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:koajs:koa::::::node.js::*
	cpe:2.3:a:koajs:koa:3.0.0:-::::node.js::*
	cpe:2.3:a:koajs:koa:3.0.0:alpha0::::node.js::*
	cpe:2.3:a:koajs:koa:3.0.0:alpha1::::node.js::*
	cpe:2.3:a:koajs:koa:3.0.0:alpha2::::node.js::*
	cpe:2.3:a:koajs:koa:3.0.0:alpha3::::node.js::*
	cpe:2.3:a:koajs:koa:3.0.0:alpha4::::node.js::*
	cpe:2.3:a:koajs:koa:3.0.0:alpha5::::node.js::*

History

No history.

Information

Published : 2025-07-25 05:15

Updated : 2025-09-17 14:38

NVD link : CVE-2025-8129

Mitre link : CVE-2025-8129

CVE.ORG link : CVE-2025-8129

JSON object : View

Products Affected

koajs

koa

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2025-8129", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-07-25T05:15:36.980", "references": [{"url": "https://github.com/koajs/koa/issues/1892", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/koajs/koa/issues/1892#issue-3213028583", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.317514", "tags": ["Permissions Required", "VDB Entry"], "source": "[email protected]"}, {"url": "https://vuldb.com/?id.317514", "tags": ["Third Party Advisory", "VDB Entry"], "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.619741", "tags": ["Third Party Advisory", "VDB Entry"], "source": "[email protected]"}, {"url": "https://github.com/koajs/koa/issues/1892", "tags": ["Exploit", "Issue Tracking", "Patch", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad clasificada como problem\u00e1tica en KoaJS (hasta la versi\u00f3n 3.0.0). La funci\u00f3n afectada se encuentra en la librer\u00eda lib/response.js del componente HTTP Header Handler. La manipulaci\u00f3n del argumento Referrer provoca una redirecci\u00f3n abierta. El ataque puede ejecutarse en remoto. Se ha hecho p\u00fablico el exploit y puede que sea utilizado."}], "lastModified": "2025-09-17T14:38:37.743", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A9F36937-D73F-442F-97E3-E57E6B4DD579", "versionEndExcluding": "2.16.2", "versionStartIncluding": "2.0.0"}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:-:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "829BF63A-A53D-4B0B-9E79-9654AE97D713"}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha0:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "C939FF76-3FDC-4439-8794-4DFC390B6AE5"}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha1:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "6C0F27D9-2CCD-4CA4-BB80-3650CA1CC7D7"}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha2:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "AC7C1D95-EC40-445D-A46D-5B52C771E9EE"}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha3:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1CB59D3F-CD0C-46FB-92E6-A57B5309690E"}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha4:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7A156C47-5619-4AF3-B7F2-9BE83A5F8F15"}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha5:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "0E020A81-C019-45A9-BA3D-0F3C83D1288A"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}