GHSA-x2rg-q646-7m2v

Suggest an improvement
Source
https://github.com/advisories/GHSA-x2rg-q646-7m2v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-x2rg-q646-7m2v/GHSA-x2rg-q646-7m2v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x2rg-q646-7m2v
Aliases
Published
2025-04-09T13:00:07Z
Modified
2025-04-09T20:29:43Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function
Details

Summary

In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.

Patches

This issue is patched in 2.16.1 and 3.0.0-alpha.5.

PoC

Coming soon...

Impact

  1. Redirect user to another phishing site
  2. Make request to another endpoint of the application based on user's cookie
  3. Steal user's cookie
Database specific
{
    "github_reviewed_at": "2025-04-09T13:00:07Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2025-04-09T16:15:25Z",
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

npm / koa

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.16.1

npm / koa

Package

Affected ranges

Type
SEMVER
Events
Introduced
3.0.0-alpha.1
Fixed
3.0.0-alpha.5