VulnerableCode Package Details - pkg:npm/koa@3.0.0-alpha.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-5gp2-g6du-qbf5 Aliases: CVE-2025-8129 GHSA-jgmv-j7ww-jx2x		3.0.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-h551-ugxx-tyhy Aliases: GHSA-mvw6-62qv-vmqf	Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled) ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references. ### Original Description A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.	3.0.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-krub-gxtb-8ycd Aliases: CVE-2025-32379 GHSA-x2rg-q646-7m2v	Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.	3.0.0-alpha.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-5gp2-g6du-qbf5
Aliases:
CVE-2025-8129
GHSA-jgmv-j7ww-jx2x

3.0.1
Affected by 2 other vulnerabilities.

VCID-h551-ugxx-tyhy
Aliases:
GHSA-mvw6-62qv-vmqf

Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled) ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references. ### Original Description A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

3.0.1
Affected by 2 other vulnerabilities.

VCID-krub-gxtb-8ycd
Aliases:
CVE-2025-32379
GHSA-x2rg-q646-7m2v

Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.

3.0.0-alpha.5
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-juvd-sv1b-hqa7	Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.	CVE-2025-25200 GHSA-593f-38f6-jp5m

Vulnerability

Summary

Aliases

VCID-juvd-sv1b-hqa7

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.

CVE-2025-25200
GHSA-593f-38f6-jp5m

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-15T01:54:48.844141+00:00	GHSA Importer	Fixing	VCID-juvd-sv1b-hqa7	https://github.com/advisories/GHSA-593f-38f6-jp5m	38.6.0
2026-06-12T20:08:10.925801+00:00	GitLab Importer	Affected by	VCID-5gp2-g6du-qbf5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/koa/CVE-2025-8129.yml	38.6.0
2026-06-12T20:07:58.495348+00:00	GitLab Importer	Affected by	VCID-h551-ugxx-tyhy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/koa/GHSA-mvw6-62qv-vmqf.yml	38.6.0
2026-06-12T19:58:48.955599+00:00	GitLab Importer	Affected by	VCID-krub-gxtb-8ycd	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/koa/CVE-2025-32379.yml	38.6.0
2026-06-12T19:52:37.884899+00:00	GitLab Importer	Fixing	VCID-juvd-sv1b-hqa7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/koa/CVE-2025-25200.yml	38.6.0
2026-06-12T07:53:37.414956+00:00	GithubOSV Importer	Fixing	VCID-juvd-sv1b-hqa7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-593f-38f6-jp5m/GHSA-593f-38f6-jp5m.json	38.6.0