CVE-2025-32379: Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function

April 9, 2025

In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.

References

github.com/advisories/GHSA-x2rg-q646-7m2v
github.com/koajs/koa
github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312
github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v
nvd.nist.gov/vuln/detail/CVE-2025-32379

Code Behaviors & Features

Detect and mitigate CVE-2025-32379 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →