CVE-2025-62595: 
JavaScript vulnerability analysis and mitigation

A bypass vulnerability (CVE-2025-62595) was discovered in the Koa.js framework affecting versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3. The vulnerability impacts the back redirect functionality, where attackers can manipulate the Referer header to force a user's browser to navigate to external, potentially malicious websites. This occurs because the implementation incorrectly treats specially crafted URLs as safe relative paths (GitHub Advisory).

The vulnerability exists in the back redirect logic where the code attempts to treat values that start with '/' as safe relative paths and only perform origin checks for absolute URLs. However, protocol-relative URLs (beginning with //host) also start with '/' and match the startsWith('/') branch. This allows an attacker to supply a protocol-relative referrer like //evil.com that gets treated as a safe relative path, but browsers interpret Location: //evil.com as a redirect to https://evil.com or http://evil.com depending on context. The vulnerability has a CVSS v3.1 score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (GitHub Advisory).

An attacker who can cause a victim to visit a specially crafted link or inject a request with a controlled Referer header can redirect the victim to an attacker-controlled domain. This vulnerability can be exploited for phishing attacks, social engineering, or bypassing protection rules that rely on same-origin navigation (GitHub Advisory).

The vulnerability has been patched in versions 2.16.3 and 3.0.3. The fix involves not treating //host as a safe relative path and explicitly excluding protocol-relative values from any relative-path branch. The Referer should be normalized by resolving it with a base (e.g., new URL(rawRef, ctx.href)), then comparing resolved.origin to ctx.origin before allowing the redirect (GitHub Advisory, GitHub Commit).