CVE-2025-32379 (Medium) detected in koa-2.13.4.tgz

[mend-bolt-for-github]

CVE-2025-32379 - Medium Severity Vulnerability

Vulnerable Library - koa-2.13.4.tgz

Koa web app framework

Library home page: https://registry.npmjs.org/koa/-/koa-2.13.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• oidc-provider-7.14.3.tgz (Root Library)
  • ❌ koa-2.13.4.tgz (Vulnerable Library)

Found in HEAD commit: a9ecf8e0c2abfe366faf96655145ee5b38f3dd20

Found in base branch: main

Vulnerability Details

Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.

Publish Date: 2025-04-09

URL: CVE-2025-32379

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x2rg-q646-7m2v

Release Date: 2025-04-09

Fix Resolution: koa - 3.0.0-alpha.5,https://github.com/koajs/koa.git - 3.0.0-alpha.5,koa - 2.16.1,https://github.com/koajs/koa.git - 2.16.1

---

Step up your Open Source Security Game with Mend here