{
  "threat_severity" : "Moderate",
  "public_date" : "2025-04-09T15:56:40Z",
  "bugzilla" : {
    "description" : "koa: XSS at ctx.redirect() function in Koajs",
    "id" : "2358649",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2358649"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L",
    "status" : "draft"
  },
  "cwe" : "CWE-79",
  "details" : [ "Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.", "A flaw was found in Koa. This vulnerability allows execution of arbitrary JavaScript code via crafted user input passed to the ctx.redirect() function, even after input sanitization." ],
  "package_state" : [ {
    "product_name" : "Red Hat Developer Hub",
    "fix_state" : "Fix deferred",
    "package_name" : "rhdh/rhdh-hub-rhel9",
    "cpe" : "cpe:/a:redhat:rhdh:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-32379\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32379\nhttps://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312\nhttps://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v" ],
  "name" : "CVE-2025-32379",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}