GHSA-r773-pmw3-f4mr

Suggest an improvement
Source
https://github.com/advisories/GHSA-r773-pmw3-f4mr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-r773-pmw3-f4mr/GHSA-r773-pmw3-f4mr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-r773-pmw3-f4mr
Aliases
  • CVE-2021-23384
Published
2022-02-10T23:47:27Z
Modified
2023-11-08T04:05:06.470293Z
Severity
  • CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
Open Redirect in koa-remove-trailing-slashes
Details

The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs.

References

Affected packages

npm / koa-remove-trailing-slashes

Package

Name
koa-remove-trailing-slashes
Purl
pkg:npm/koa-remove-trailing-slashes

Affected ranges

Type
SEMVER
Events
Introduced
0The exact introduced commit is unknown
Fixed
2.0.2