chore(deps): update dependency koa to v2.16.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
koa (source)	2.15.3 → 2.16.2
koa (source)	2.16.0 → 2.16.2

GitHub Vulnerability Alerts

CVE-2025-32379

Summary

In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.

Patches

This issue is patched in 2.16.1 and 3.0.0-alpha.5.

PoC

Coming soon...

Impact

1. Redirect user to another phishing site
2. Make request to another endpoint of the application based on user's cookie
3. Steal user's cookie

CVE-2025-8129

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

• https://github.com/koajs/koa/blob/master/lib/response.js#L322

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@​koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
}) 

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

Impact

https://learn.snyk.io/lesson/open-redirect/

---

Release Notes

koajs/koa (koa)

v2.16.2

Compare Source

What's Changed

• fix: only allow back redirect to the same origin referer by @​fengmk2 in #​1898

Full Changelog: koajs/koa@v2.16.1...v2.16.2

v2.16.1

Compare Source

fix: don't render redirect values in anchor ref

v2.16.0

Compare Source

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at #​1593 and #​1547.

• fix missing cleanup, if response socket is no longer writeable (issue 1547) (#​1593) 399cb6b

v2.15.4

Compare Source

Full Changelog: koajs/koa@2.15.3...2.15.4

Fix: avoid redos on host and protocol getter, see GHSA-593f-38f6-jp5m

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	dd0bc1b
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69638ddb297b2b0008e5dd71

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 39.26
• Iterations/s: 13.12
• Failed Requests: 0.00% (0 of 2362)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 853 kB 14 kB/s
     data_sent......................: 1.8 MB 30 kB/s
     http_req_blocked...............: avg=7.37µs   min=2.45µs   med=5.74µs   max=915.85µs p(90)=6.95µs   p(95)=7.65µs  
     http_req_connecting............: avg=712ns    min=0s       med=0s       max=618.38µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=101.19ms min=7.32ms   med=83.87ms  max=569.68ms p(90)=174.75ms p(95)=198.48ms
       { expected_response:true }...: avg=101.19ms min=7.32ms   med=83.87ms  max=569.68ms p(90)=174.75ms p(95)=198.48ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2362
     http_req_receiving.............: avg=98.22µs  min=29.61µs  med=85.86µs  max=1.74ms   p(90)=129.02µs p(95)=159.76µs
     http_req_sending...............: avg=37.17µs  min=11.58µs  med=30.93µs  max=1.12ms   p(90)=44.28µs  p(95)=58.04µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=101.05ms min=7.08ms   med=83.76ms  max=569.6ms  p(90)=174.65ms p(95)=198.32ms
     http_reqs......................: 2362   39.262866/s
     iteration_duration.............: avg=304.7ms  min=178.09ms med=292.54ms max=1.13s    p(90)=380.48ms p(95)=428.68ms
     iterations.....................: 789    13.115327/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4