Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target. Details on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see: response.redirect(url, [alt]) “` Performs a [302] redirect to url. The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist. ctx.redirect('back'); ctx.redirect('back', '/index.html'); ctx.redirect('/login'); ctx.redirect('https://google.com'); “` however, the "back" method is insecure: https://github.com/koajs/koa/blob/master/lib/response.js#L322 back (alt) { const url = this.ctx.get('Referrer') || alt || '/' this.redirect(url) }, Referrer Header is User-Controlled. PoC there is a demo for POC: “` const Koa = require('koa') const serve = require('koa-static') const Router = require('@koa/router') const path = require('path') const app = new Koa() const router = new Router() // Serve static files from the public directory app.use(serve(path.join(__dirname, 'public'))) // Define routes router.get('/test', ctx => { ctx.redirect('back', '/index1.html') }) router.get('/test2', ctx => { ctx.redirect('back') }) router.get('/', ctx => { ctx.body = 'Welcome to the home page! Try accessing /test, /test2' }) app.use(router.routes()) app.use(router.allowedMethods()) const port = 3000 app.listen(port, () => { console.log(Server…Read More