Koajs, Open Redirect Vulnerability, CVE-2025-54420 (Medium)

By /

Listen to this Post

The vulnerability in Koa.js’ `ctx.redirect` function stems from flawed URL parsing logic intended to validate the `Referer` header for safe redirects. The security check incorrectly categorizes protocol-relative URLs (starting with //) as safe relative paths because they begin with a forward slash (/). The code uses a `startsWith(‘/’)` check to bypass origin verification for paths deemed relative. However, browsers interpret a `Location` header with a protocol-relative URL like `//evil.com` as an instruction to redirect to an absolute URL on the `evil.com` domain, using the current page’s scheme (HTTP or HTTPS). This creates a discrepancy where the server treats it as a safe internal path, but the browser performs an external redirect, allowing an attacker to bypass the same-origin protection and redirect users to a malicious site.
Platform: Koa.js
Version: < 2.15.4

Vulnerability : Open Redirect

Severity: Medium

date: 2025-07-15

Prediction: 2025-07-29

What Undercode Say:

curl -i -H "Referer: //evil.example.com" http://vulnerable-app.com/redirect-endpoint

// Vulnerable code in lib/response.js ~line 326
if (url.startsWith('/')) {
// Incorrectly treats '//evil.com' as a safe relative path
return this.redirect(ctx.state.origin + url);
}

// Patched logic
function isValidRedirect(url, ctx) {
try {
const resolvedUrl = new URL(url, ctx.href);
return resolvedUrl.origin === ctx.origin;
} catch (e) {
return url.startsWith('/') && !url.startsWith('//');
}
}

How Exploit:

Attacker crafts HTTP request with malicious `Referer` header containing a protocol-relative URL. Victim’s browser follows the redirect to an attacker-controlled domain, enabling phishing attacks.

Protection from this CVE

Upgrade to Koa.js version 2.15.4 or later. Implement manual input validation for all redirect URLs, explicitly rejecting protocol-relative URLs. Use a centralized redirect helper function that normalizes and strictly validates URLs against an allow list of trusted origins.

Impact:

Phishing attacks, Social engineering, Bypassing origin checks, User session theft.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top