{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32379", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-04-06T19:46:02.462Z", "datePublished": "2025-04-09T15:56:40.574Z", "dateUpdated": "2025-04-09T20:45:15.899Z"}, "containers": {"cna": {"title": "XSS at ctx.redirect() function in Koajs", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v"}, {"name": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312"}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"version": ">= 3.0.0-alpha.0, < 3.0.0-alpha.5", "status": "affected"}, {"version": "< 2.16.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-09T15:56:40.574Z"}, "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5."}], "source": {"advisory": "GHSA-x2rg-q646-7m2v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-09T17:29:51.749257Z", "id": "CVE-2025-32379", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-09T20:45:15.899Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32379", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-04-09T17:29:51.749257Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-09T17:30:03.141Z"}}], "cna": {"title": "XSS at ctx.redirect() function in Koajs", "source": {"advisory": "GHSA-x2rg-q646-7m2v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"status": "affected", "version": ">= 3.0.0-alpha.0, < 3.0.0-alpha.5"}, {"status": "affected", "version": "< 2.16.1"}]}], "references": [{"url": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v", "name": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312", "name": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-04-09T15:56:40.574Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32379", "state": "PUBLISHED", "dateUpdated": "2025-04-09T20:45:15.899Z", "dateReserved": "2025-04-06T19:46:02.462Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-04-09T15:56:40.574Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A275ECA9-DD3D-460D-A7C5-713F4E20C786", "versionEndExcluding": "2.16.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha0:*:*:*:node.js:*:*", "matchCriteriaId": "C939FF76-3FDC-4439-8794-4DFC390B6AE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "6C0F27D9-2CCD-4CA4-BB80-3650CA1CC7D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "AC7C1D95-EC40-445D-A46D-5B52C771E9EE", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha3:*:*:*:node.js:*:*", "matchCriteriaId": "1CB59D3F-CD0C-46FB-92E6-A57B5309690E", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha4:*:*:*:node.js:*:*", "matchCriteriaId": "7A156C47-5619-4AF3-B7F2-9BE83A5F8F15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5."}, {"lang": "es", "value": "Koa es un middleware expresivo para Node.js que utiliza funciones as\u00edncronas de ES2017. En koa anteriores a la 2.16.1 y a la 3.0.0-alpha.5, pasar informaci\u00f3n de usuario no confiable a ctx.redirect(), incluso despu\u00e9s de depurarla, puede ejecutar c\u00f3digo JavaScript en el usuario que usa la aplicaci\u00f3n. Este problema se ha corregido en las versiones 2.16.1 y 3.0.0-alpha.5."}], "id": "CVE-2025-32379", "lastModified": "2026-01-14T14:36:06.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-09T16:15:25.903", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "koa: XSS at ctx.redirect() function in Koajs", "id": "2358649", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358649"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-79", "details": ["Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.", "A flaw was found in Koa. This vulnerability allows execution of arbitrary JavaScript code via crafted user input passed to the ctx.redirect() function, even after input sanitization."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-32379", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Fix deferred", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}], "public_date": "2025-04-09T15:56:40Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-32379\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32379\nhttps://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312\nhttps://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v"], "threat_severity": "Moderate"}

{}