Title: fix(deps): update dependency koa to v2.16.2 [security] by renovate[bot] · Pull Request #238 · 142vip/JavaScriptCollection · GitHub
Open Graph Title: fix(deps): update dependency koa to v2.16.2 [security] by renovate[bot] · Pull Request #238 · 142vip/JavaScriptCollection
X Title: fix(deps): update dependency koa to v2.16.2 [security] by renovate[bot] · Pull Request #238 · 142vip/JavaScriptCollection
Description: This PR contains the following updates: Package Change Age Confidence koa (source) 2.15.4 -> 2.16.2 WarningSome dependencies could not be looked up. Check the Dependency Dashboard for more information. GitHub Vulnerability Alerts CVE-2025-8129 Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target. Details on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see: response.redirect(url, [alt]) Performs a [302] redirect to url. The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist. ctx.redirect('back'); ctx.redirect('back', '/index.html'); ctx.redirect('/login'); ctx.redirect('http://google.com'); however, the "back" method is insecure: https://github.com/koajs/koa/blob/master/lib/response.js#L322 back (alt) { const url = this.ctx.get('Referrer') || alt || '/' this.redirect(url) }, Referrer Header is User-Controlled. PoC there is a demo for POC: const Koa = require('koa') const serve = require('koa-static') const Router = require('@koa/router') const path = require('path') const app = new Koa() const router = new Router() // Serve static files from the public directory app.use(serve(path.join(__dirname, 'public'))) // Define routes router.get('/test', ctx => { ctx.redirect('back', '/index1.html') }) router.get('/test2', ctx => { ctx.redirect('back') }) router.get('/', ctx => { ctx.body = 'Welcome to the home page! Try accessing /test, /test2' }) app.use(router.routes()) app.use(router.allowedMethods()) const port = 3000 app.listen(port, () => { console.log(`Server running at http://localhost:${port}`) }) Proof Of Concept GET /test HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close GET /test2 HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close Impact https://learn.snyk.io/lesson/open-redirect/ Release Notes koajs/koa (koa) v2.16.2 Compare Source What's Changed fix: only allow back redirect to the same origin referer by @fengmk2 in https://github.com/koajs/koa/pull/1898 Full Changelog: koajs/koa@v2.16.1...v2.16.2 v2.16.1 Compare Source fix: don't render redirect values in anchor ref v2.16.0 Compare Source This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at https://github.com/koajs/koa/pull/1593 and https://github.com/koajs/koa/issues/1547. fix missing cleanup, if response socket is no longer writeable (issue 1547) (https://github.com/koajs/koa/pull/1593) 399cb6b Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. If you want to rebase/retry this PR, check this box This PR was generated by Mend Renovate. View the repository job log.
Open Graph Description: This PR contains the following updates: Package Change Age Confidence koa (source) 2.15.4 -> 2.16.2 WarningSome dependencies could not be looked up. Check the Dependency Dashboard f...
X Description: This PR contains the following updates: Package Change Age Confidence koa (source) 2.15.4 -> 2.16.2 WarningSome dependencies could not be looked up. Check the Dependency Dashboa...
Opengraph URL: https://github.com/142vip/JavaScriptCollection/pull/238
X: @github
Domain: patch-diff.githubusercontent.com
| route-pattern | /:user_id/:repository/pull/:id/checks(.:format) |
| route-controller | pull_requests |
| route-action | checks |
| fetch-nonce | v2:7134a1b3-4a74-a94f-d3af-73531190d6f4 |
| current-catalog-service-hash | 87dc3bc62d9b466312751bfd5f889726f4f1337bdff4e8be7da7c93d6c00a25a |
| request-id | AFA2:1E790:87571D:B92933:698E26B8 |
| html-safe-nonce | 684172be455220c5097c463d8d95718175befae44e1d2cb553584d64cbec3f80 |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJBRkEyOjFFNzkwOjg3NTcxRDpCOTI5MzM6Njk4RTI2QjgiLCJ2aXNpdG9yX2lkIjoiODEyNDI2NTk0MTY2MTc4NzgzMiIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | ad6450bc1d7b4eb0fcff2449ef23ae309b5aced33f2c7a9535c2b86d52029b70 |
| hovercard-subject-tag | pull_request:2702175735 |
| github-keyboard-shortcuts | repository,pull-request-list,pull-request-conversation,pull-request-files-changed,checks,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/142vip/JavaScriptCollection/pull/238/checks |
| twitter:image | https://avatars.githubusercontent.com/in/2740?s=400&v=4 |
| twitter:card | summary_large_image |
| og:image | https://avatars.githubusercontent.com/in/2740?s=400&v=4 |
| og:image:alt | This PR contains the following updates: Package Change Age Confidence koa (source) 2.15.4 -> 2.16.2 WarningSome dependencies could not be looked up. Check the Dependency Dashboard f... |
| og:site_name | GitHub |
| og:type | object |
| hostname | github.com |
| expected-hostname | github.com |
| None | a5632af64f7fed7bff1d6a428d1aca1b94fa7a48f760de2d39d9b1effdbf0082 |
| turbo-cache-control | no-cache |
| go-import | github.com/142vip/JavaScriptCollection git https://github.com/142vip/JavaScriptCollection.git |
| octolytics-dimension-user_id | 105834656 |
| octolytics-dimension-user_login | 142vip |
| octolytics-dimension-repository_id | 268041774 |
| octolytics-dimension-repository_nwo | 142vip/JavaScriptCollection |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 268041774 |
| octolytics-dimension-repository_network_root_nwo | 142vip/JavaScriptCollection |
| turbo-body-classes | logged-out env-production page-responsive full-width full-width-p-0 |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 2f1e729d231ea1ea5a098d21f1491b75bea53631 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width