Vulnerability	Vulnerable Version
M Open Redirect koa is a Koa web app framework Affected versions of this package are vulnerable to Open Redirect via the "back redirect" functionality. An attacker can cause users to be redirected to an external, attacker-controlled domain by supplying a specially crafted `Referer` header containing a protocol-relative URL (e.g., `//evil.com`), which is incorrectly treated as a safe relative path. This can be exploited for phishing, social engineering, or bypassing same-origin navigation protections. Note: This is a bypass for the fix to the vulnerability reported in CVE-2025-8129. How to fix Open Redirect? Upgrade `koa` to version 2.16.3, 3.0.3 or higher.	>=2.16.2 <2.16.3>=3.0.1 <3.0.3

Open Redirect

koa is a Koa web app framework

Affected versions of this package are vulnerable to Open Redirect via the "back redirect" functionality. An attacker can cause users to be redirected to an external, attacker-controlled domain by supplying a specially crafted Referer header containing a protocol-relative URL (e.g., //evil.com), which is incorrectly treated as a safe relative path. This can be exploited for phishing, social engineering, or bypassing same-origin navigation protections.

Note: This is a bypass for the fix to the vulnerability reported in CVE-2025-8129.

How to fix Open Redirect?

Upgrade koa to version 2.16.3, 3.0.3 or higher.

>=2.16.2 <2.16.3>=3.0.1 <3.0.3

Go back to all versions of this package