You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
Open Redirect in koa-remove-trailing-slashes
Moderate severity
GitHub Reviewed
Published
Feb 10, 2022
to the GitHub Advisory Database
•
Updated Sep 5, 2023
The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs.
The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as
https://example.com//attacker.example/
). The vulnerable code is inindex.js::removeTrailingSlashes()
, as the web server uses relative URLs instead of absolute URLs.References