GHSA-r773-pmw3-f4mr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r773-pmw3-f4mr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-r773-pmw3-f4mr/GHSA-r773-pmw3-f4mr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r773-pmw3-f4mr
- Aliases
-
- CVE-2021-23384
- Published
- 2022-02-10T23:47:27Z
- Modified
- 2023-11-08T04:05:06.470293Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Open Redirect in koa-remove-trailing-slashes
- Details
-
The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as
https://example.com//attacker.example/). The vulnerable code is inindex.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs. - Database specific
{ "github_reviewed": true, "severity": "MODERATE", "cwe_ids": [ "CWE-601" ], "nvd_published_at": "2021-05-17T18:15:00Z", "github_reviewed_at": "2021-05-19T17:57:27Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-23384
- https://github.com/vgno/koa-remove-trailing-slashes/commit/e7ce4000e9fe4d957332df1056640a22ebea28ee
- https://github.com/vgno/koa-remove-trailing-slashes
- https://github.com/vgno/koa-remove-trailing-slashes/blame/6a01ba8fd019bd3ece44879c553037ad96ba7d47/index.js#L31
- https://snyk.io/vuln/SNYK-JS-KOAREMOVETRAILINGSLASHES-1085708
Affected packages
npm / koa-remove-trailing-slashes
Package
- Name
- koa-remove-trailing-slashes
- View open source insights on deps.dev
- Purl
- pkg:npm/koa-remove-trailing-slashes