GHSA-mvw6-62qv-vmqf: Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled)

July 25, 2025 (updated July 29, 2025)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references.

Original Description

A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

References

github.com/advisories/GHSA-mvw6-62qv-vmqf
github.com/koajs/koa
github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0
github.com/koajs/koa/issues/1892
github.com/koajs/koa/issues/1892
nvd.nist.gov/vuln/detail/CVE-2025-8129
vuldb.com/?ctiid.317514
vuldb.com/?id.317514
vuldb.com/?submit.619741

Code Behaviors & Features

Detect and mitigate GHSA-mvw6-62qv-vmqf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →