chore(deps): update dependency koa to v2.16.2 [security]

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
koa (source)	2.15.3 -> 2.16.2
koa (source)	2.16.0 -> 2.16.2

GitHub Vulnerability Alerts

CVE-2025-32379

Summary

In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.

Patches

This issue is patched in 2.16.1 and 3.0.0-alpha.5.

PoC

Coming soon...

Impact

1. Redirect user to another phishing site
2. Make request to another endpoint of the application based on user's cookie
3. Steal user's cookie

CVE-2025-8129

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

• https://github.com/koajs/koa/blob/master/lib/response.js#L322

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@​koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
}) 

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

Impact

https://learn.snyk.io/lesson/open-redirect/

---

Release Notes

koajs/koa (koa)

v2.16.2

Compare Source

What's Changed

• fix: only allow back redirect to the same origin referer by @​fengmk2 in #​1898

Full Changelog: koajs/koa@v2.16.1...v2.16.2

v2.16.1

Compare Source

fix: don't render redirect values in anchor ref

v2.16.0

Compare Source

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at #​1593 and #​1547.

• fix missing cleanup, if response socket is no longer writeable (issue 1547) (#​1593) 399cb6b

v2.15.4

Compare Source

Full Changelog: koajs/koa@2.15.3...2.15.4

Fix: avoid redos on host and protocol getter, see GHSA-593f-38f6-jp5m

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	b4120f3
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/68d5667a880f840008f22e37

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 44.12
• Iterations/s: 14.71
• Failed Requests: 0.00% (0 of 2654)

📜 Logs

> [email protected] run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 958 kB 16 kB/s
     data_sent......................: 2.0 MB 34 kB/s
     http_req_blocked...............: avg=6.93µs   min=2.45µs   med=5.18µs   max=1.03ms   p(90)=6.44µs   p(95)=6.95µs  
     http_req_connecting............: avg=856ns    min=0s       med=0s       max=974.13µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=90.02ms  min=6.83ms   med=74ms     max=473.86ms p(90)=153.13ms p(95)=174.11ms
       { expected_response:true }...: avg=90.02ms  min=6.83ms   med=74ms     max=473.86ms p(90)=153.13ms p(95)=174.11ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2654
     http_req_receiving.............: avg=89.16µs  min=25.29µs  med=76.04µs  max=2.53ms   p(90)=112.8µs  p(95)=145.57µs
     http_req_sending...............: avg=34.81µs  min=10.08µs  med=27.1µs   max=1.26ms   p(90)=40.64µs  p(95)=55.35µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=89.9ms   min=6.71ms   med=73.88ms  max=473.8ms  p(90)=153.03ms p(95)=174ms   
     http_reqs......................: 2654   44.122492/s
     iteration_duration.............: avg=271.59ms min=170.26ms med=257.91ms max=987.7ms  p(90)=333.63ms p(95)=366.98ms
     iterations.....................: 885    14.713039/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4