Update dependency koa to v2.16.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
koa (source)	2.15.3 → 2.16.2

GitHub Vulnerability Alerts

CVE-2025-25200

Summary

Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack.

PoC

Coming soon.

Impact

This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.

CVE-2025-32379

Summary

In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.

Patches

This issue is patched in 2.16.1 and 3.0.0-alpha.5.

PoC

Coming soon...

Impact

1. Redirect user to another phishing site
2. Make request to another endpoint of the application based on user's cookie
3. Steal user's cookie

CVE-2025-8129

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

• https://github.com/koajs/koa/blob/master/lib/response.js#L322

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@​koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
}) 

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

Impact

https://learn.snyk.io/lesson/open-redirect/

---

Release Notes

koajs/koa (koa)

v2.16.2

Compare Source

What's Changed

• fix: only allow back redirect to the same origin referer by @​fengmk2 in #​1898

Full Changelog: koajs/koa@v2.16.1...v2.16.2

v2.16.1

Compare Source

fix: don't render redirect values in anchor ref

v2.16.0

Compare Source

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at #​1593 and #​1547.

• fix missing cleanup, if response socket is no longer writeable (issue 1547) (#​1593) 399cb6b

v2.15.4

Compare Source

Full Changelog: koajs/koa@2.15.3...2.15.4

Fix: avoid redos on host and protocol getter, see GHSA-593f-38f6-jp5m

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
knzklive2-web	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 30, 2025 4:47pm

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​koa-logger@​3.1.5
	jest@​29.7.0
	@​types/​whatwg-fetch@​0.0.33
	@​typescript-eslint/​parser@​7.12.0
	eslint-config-prettier@​9.1.0
	ffmpeg-ffprobe-static@​6.1.1
	@​types/​ws@​8.5.10
	@​types/​fluent-ffmpeg@​2.1.24
	@​types/​koa__router@​12.0.4
	@​types/​koa@​2.15.0
	@​types/​koa-bodyparser@​4.3.12
	@​typescript-eslint/​eslint-plugin@​7.12.0
	ajv@​8.16.0
	koa-bodyparser@​4.4.1
	@​aspida/​fetch@​1.14.0
	aspida@​1.14.0
	ts-node@​10.9.2
	@​types/​node@​10.17.60 ⏵ 20.14.2			+2
	ffmpeg-static@​5.2.0
	fluent-ffmpeg@​2.1.3
	@​vercel/​ncc@​0.38.1
	koa-logger@​3.2.1
	@​sentry/​node@​8.7.0
	@​koa/​router@​12.0.1
	@​aws-sdk/​client-s3@​3.591.0
	koa@​2.16.2
	eslint@​8.57.0

View full report