chore(deps): update dependency koa to v2.16.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
koa (source)	2.16.1 -> 2.16.2

GitHub Vulnerability Alerts

CVE-2025-8129

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

• https://github.com/koajs/koa/blob/master/lib/response.js#L322

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@​koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
}) 

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

Impact

https://learn.snyk.io/lesson/open-redirect/

---

Release Notes

koajs/koa (koa)

v2.16.2

Compare Source

What's Changed

• fix: only allow back redirect to the same origin referer by @​fengmk2 in #​1898

Full Changelog: koajs/koa@v2.16.1...v2.16.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.44%. Comparing base (0a45ac1) to head (cfa790f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2961   +/-   ##
=======================================
  Coverage   91.44%   91.44%           
=======================================
  Files         146      146           
  Lines        8192     8192           
  Branches     1846     1846           
=======================================
  Hits         7491     7491           
  Misses        701      701           

Flag	Coverage Δ
instrumentation-amqplib	91.25% <ø> (ø)
instrumentation-aws-lambda	94.66% <ø> (ø)
instrumentation-aws-sdk	86.48% <ø> (ø)
instrumentation-bunyan	98.47% <ø> (ø)
instrumentation-cassandra-driver	84.02% <ø> (ø)
instrumentation-connect	98.47% <ø> (ø)
instrumentation-cucumber	92.72% <ø> (ø)
instrumentation-dataloader	98.12% <ø> (ø)
instrumentation-dns	96.87% <ø> (ø)
instrumentation-express	98.14% <ø> (ø)
instrumentation-fastify	93.98% <ø> (ø)
instrumentation-generic-pool	40.54% <ø> (ø)
instrumentation-graphql	93.99% <ø> (ø)
instrumentation-hapi	99.06% <ø> (ø)
instrumentation-ioredis	91.08% <ø> (ø)
instrumentation-kafkajs	97.89% <ø> (ø)
instrumentation-knex	94.61% <ø> (ø)
instrumentation-koa	96.22% <ø> (ø)
instrumentation-lru-memoizer	100.00% <ø> (ø)
instrumentation-memcached	92.00% <ø> (ø)
instrumentation-mongodb	88.25% <ø> (ø)
instrumentation-mongoose	90.74% <ø> (ø)
instrumentation-mysql	93.36% <ø> (ø)
instrumentation-mysql2	95.91% <ø> (ø)
instrumentation-nestjs-core	96.11% <ø> (ø)
instrumentation-net	96.55% <ø> (ø)
instrumentation-openai	87.96% <ø> (ø)
instrumentation-oracledb	96.13% <ø> (ø)
instrumentation-pg	95.95% <ø> (ø)
instrumentation-pino	100.00% <ø> (ø)
instrumentation-redis	85.26% <ø> (ø)
instrumentation-restify	91.53% <ø> (ø)
instrumentation-router	97.16% <ø> (ø)
instrumentation-runtime-node	89.47% <ø> (ø)
instrumentation-socket.io	81.13% <ø> (ø)
instrumentation-tedious	92.10% <ø> (ø)
instrumentation-typeorm	90.50% <ø> (ø)
instrumentation-undici	91.78% <ø> (ø)
instrumentation-winston	79.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[tlindhardt]

Its worth mentioning I have a pr open, though Im unsure how to get it merged, upgrading to 3.0.0. #2957 I would be happy to upgrade to 3.0.1.

[opentelemetrybot]

Thank you for your contribution @renovate[bot]! 🎉 We would like to hear from you about your experience contributing to OpenTelemetry by taking a few minutes to fill out this survey.