CVE-2025-62595: 
JavaScript vulnerability analysis and mitigation

A bypass vulnerability (CVE-2025-62595) was discovered in the Koa.js framework affecting versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3. The vulnerability impacts the back redirect functionality, where attackers can manipulate the Referer header to force users' browsers to navigate to external, potentially malicious websites. This occurs because the implementation incorrectly treats some specially crafted URLs as safe relative paths (GitHub Advisory).

The vulnerability exists because the patched code attempts to treat values that start with '/' as safe relative paths and only performs origin checks for absolute URLs. However, protocol-relative URLs (beginning with //host) also start with '/' and therefore match the startsWith('/') check. This allows a protocol-relative referrer such as //evil.com with trailing double-slash to be treated as a safe relative path, while browsers interpret Location: //evil.com as a redirect to https://evil.com or http://evil.com based on context (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (Moderate) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD).

If exploited, this vulnerability could allow attackers to perform phishing, social engineering, or other redirect-based attacks on users of affected applications. An attacker who can cause a victim to visit a specially crafted link or inject a request with a controlled Referer can redirect the victim to an attacker-controlled domain (GitHub Advisory).

The vulnerability has been patched in versions 2.16.3 and 3.0.3. The fix involves not treating //host as a safe relative path and explicitly excluding protocol-relative values from any relative-path branch. It's recommended to normalize the Referer by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then compare resolved.origin (scheme+host+port) to ctx.origin before allowing the redirect (GitHub Advisory).