Home > Vulnerability Database > CVE-2025-62595

Mend.io Vulnerability Database

CVE-2025-62595

Good to know:

Date: October 21, 2025

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths. Exploiting this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. This issue has been patched in version 3.0.3.

Severity Score

4.3

Related Resources (5)

Url: https://github.com/koajs/koa

Url: https://github.com/koajs/koa/commit/769fd75cc6b30d72493b370b5a3ae2332ca03c5b

Url: https://github.com/koajs/koa/security/advisories/GHSA-g8mr-fgfg-5qpc

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62595

Url: https://www.mend.io/vulnerability-database/CVE-2025-62595

Severity Score

4.3

Weakness Type (CWE)

URL Redirection to Untrusted Site ('Open Redirect')

CWE-601

Top Fix

Upgrade Version

Upgrade to version koa - 3.0.3;koa - 2.16.3;https://github.com/koajs/koa.git - v2.16.3;https://github.com/koajs/koa.git - v3.0.3

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62595

Good to know:

Date: October 21, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?