Update dependency koa to v3.0.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
koa (source)	3.0.0 -> 3.0.1

GitHub Vulnerability Alerts

CVE-2025-8129

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

• https://github.com/koajs/koa/blob/master/lib/response.js#L322

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@​koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
}) 

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

Impact

https://learn.snyk.io/lesson/open-redirect/

---

Release Notes

koajs/koa (koa)

v3.0.1

Compare Source

What's Changed

• fix(security): only allow same origin referer on response back 422c551
• chore: adds initial doc text refresh; migration guide [CHORE-1870] by @​yowainwright in #​1877
• build(deps-dev): bump formidable from 3.5.2 to 3.5.4 by @​dependabot[bot] in #​1878
• chore: removes done callbacks in tests [CHORE-1870] by @​yowainwright in #​1875
• build(deps-dev): bump supertest from 7.1.0 to 7.1.1 by @​dependabot[bot] in #​1879
• build(deps): bump debug from 4.4.0 to 4.4.1 by @​dependabot[bot] in #​1880
• feat: replace debug module with pure node:util::debuglog by @​3imed-jaberi in #​1885
• feat: replace cache-content-type with mime-types directly by @​3imed-jaberi in #​1886
• build(deps): bump statuses from 2.0.1 to 2.0.2 by @​dependabot[bot] in #​1888
• build(deps-dev): bump supertest from 7.1.1 to 7.1.4 by @​dependabot[bot] in #​1895
• build(deps-dev): bump form-data from 4.0.3 to 4.0.4 by @​dependabot[bot] in #​1894

Full Changelog: koajs/koa@v3.0.0...v3.0.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a26e6ab

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR