CVE-2025-8129

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-8129

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8129.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-8129

Aliases

GHSA-jgmv-j7ww-jx2x

Published

2025-07-25T05:15:36.980Z

Modified

2026-04-10T05:36:09.296374Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

References

Affected packages

Git / github.com/koajs/koa

Affected ranges

Type

GIT

Repo

https://github.com/koajs/koa

Events

Introduced

3595ef58b96f1e5f2ff83384bfa0409a30797e7a

Fixed

3b1688692471c70cf356ae526227e98982f56b09

Introduced

Last affected

ead934d8f2e36244336d67ad075c6b2faf4e7267

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.16.2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.0.0-NA"
        }
    ]
}

Affected versions

0.*

0.0.2

0.1.0

0.1.1

0.1.2

0.10.0

0.11.0

0.12.0

0.12.1

0.12.2

0.13.0

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

0.18.1

0.19.0

0.19.1

0.2.0

0.2.1

0.20.0

0.21.0

0.3.0

0.4.0

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.6.0

0.6.1

0.6.2

0.6.3

0.7.0

0.8.0

0.8.1

0.8.2

0.9.0

1.*

1.0.0

1.1.0

2.*

2.0.0-alpha.1

2.0.0-alpha.2

2.0.0-alpha.3

2.0.0-alpha.4

2.0.0-alpha.5

2.0.0-alpha.6

2.0.0-alpha.7

2.0.0-alpha.8

2.0.1

2.1.0

2.10.0

2.11.0

2.12.0

2.12.1

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.14.1

2.14.2

2.15.0

2.15.1

2.15.2

2.15.3

2.15.4

2.16.0

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.7.0

2.8.0

2.8.1

2.8.2

2.9.0

3.*

3.0.0-alpha.0

3.0.0-alpha.1

3.0.0-alpha.2

3.0.0-alpha.3

3.0.0-alpha.4

3.0.0-alpha.5

v2.*

v2.16.0

v2.16.1

v3.*

v3.0.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-8129.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.0.0-alpha0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.0.0-alpha1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.0.0-alpha2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.0.0-alpha3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.0.0-alpha4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.0.0-alpha5"
            }
        ]
    }
]