Login Sign Up

CVE-2025-62595

4.3 MEDIUM
Open Redirect

📋 TL;DR

This CVE describes a URL redirect bypass vulnerability in Koa.js middleware for Node.js. Attackers can manipulate the Referer header to force user browsers to navigate to malicious external websites, enabling phishing and social engineering attacks. Applications using Koa.js versions 2.16.2 to before 2.16.3 or 3.0.1 to before 3.0.3 are affected.

💻 Affected Systems

Products:
  • Koa.js
Versions: 2.16.2 to before 2.16.3, 3.0.1 to before 3.0.3
Operating Systems: Any OS running Node.js
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using Koa's back redirect functionality with Referer header processing.

📦 What is this software?

Koa by Koajs

View all CVEs affecting Koa →

Koa by Koajs

View all CVEs affecting Koa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users are redirected to sophisticated phishing sites that steal credentials, session tokens, or install malware, leading to account compromise and data breaches.

🟠

Likely Case

Users are redirected to phishing pages attempting to harvest login credentials or personal information through social engineering.

🟢

If Mitigated

With proper input validation and security headers, the impact is limited to failed redirect attempts or blocked navigation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires manipulating HTTP Referer headers and depends on application using vulnerable redirect functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.16.3 or 3.0.3

Vendor Advisory: https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc

Restart Required: Yes

Instructions:

1. Update Koa.js dependency in package.json to ^2.16.3 or ^3.0.3. 2. Run 'npm update koa' or 'yarn upgrade koa'. 3. Restart your Node.js application.

🔧 Temporary Workarounds

Implement custom redirect validation

all

Add middleware to validate and sanitize redirect URLs before processing Referer headers.

// Example middleware to validate redirects
app.use(async (ctx, next) => {
  const referer = ctx.get('Referer');
  if (referer && !isSafeUrl(referer)) {
    ctx.throw(400, 'Invalid redirect URL');
  }
  await next();
});

🧯 If You Can't Patch

  • Implement Content Security Policy (CSP) with strict directives to restrict navigation
  • Deploy WAF rules to block malicious Referer headers containing external URLs

🔍 How to Verify

Check if Vulnerable:

Check package.json or run 'npm list koa' to see if version is between 2.16.2-2.16.2 or 3.0.1-3.0.2.

Check Version:

npm list koa | grep koa

Verify Fix Applied:

Confirm Koa version is 2.16.3 or higher for v2, or 3.0.3 or higher for v3 using 'npm list koa'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Referer headers containing external domains
  • Multiple 302/303 redirect responses to external URLs

Network Indicators:

  • HTTP requests with manipulated Referer headers pointing to unexpected domains

SIEM Query:

http.referer CONTAINS "http://" OR "https://" AND NOT CONTAINS "yourdomain.com"

📊 Metadata

CVE ID: CVE-2025-62595
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-601
EPSS Score: 0.02% exploit probability (3.1th percentile)
Published: October 21, 2025
Last Updated: January 20, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62595, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2025-55031 9.8

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)