Homepage
About Snyk

koa-remove-trailing-slashes@2.0.1 vulnerabilities

Koa middleware that makes sure all requests does not have trailing slashes

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the koa-remove-trailing-slashes package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Open Redirect

koa-remove-trailing-slashes is a Koa middleware that makes sure all requests does not have trailing slashes

Affected versions of this package are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs.

PoC

// Run the code below to set up a vulnerable server instance
// Then access http://localhost:3000///example.com

const Koa = require('koa');
const removeTrailingSlashes = require('koa-remove-trailing-slashes');

const app = new Koa();

app.use(removeTrailingSlashes());

app.use(ctx => {
  ctx.body = 'Hello World';
});

app.listen(3000);

How to fix Open Redirect?

Upgrade koa-remove-trailing-slashes to version 2.0.2 or higher.

<2.0.2
Go back to all versions of this package