CVE-2025-32379

MEDIUM EPSS 11.8%

Published Apr 9, 20251y ago · Modified Jun 17, 20261w ago

6.1 CVSS 3.1

Medium

Published Apr 9, 2025 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.

CVSS Details

Base Score

6.1

Exploitability

2.8

Impact

2.7

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction Required

Scope Changed

Confidentiality Low

Integrity Low

Availability None

Threat Intelligence

EPSS Exploit Probability

11.8% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-79 Cross-site Scripting Injection

Affected Products 6

Vendor	Product	Version	Range
koajs	koa	*	<2.16.1
koajs	koa	3.0.0	any
koajs	koa	3.0.0	any
koajs	koa	3.0.0	any
koajs	koa	3.0.0	any
koajs	koa	3.0.0	any

References 2

github.com https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312

Patch
github.com https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v

PatchVendor Advisory

Remediation

github.com https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312

Patch
github.com https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v

PatchVendor Advisory