Fix CVE-2025-62595: Update koa to 2.16.3

[Copilot]

Resolves open redirect vulnerability in koa via protocol-relative URLs (e.g., //evil.com) exploiting trailing double-slash in back redirect logic.

Changes

• Updated koa override from 2.16.2 → 2.16.3 in package.json
• Regenerated package-lock.json with patched version

Context

• CVE: CVE-2025-62595 (GHSA-g8mr-fgfg-5qpc)
• Severity: Moderate (CVSS 4.7)
• Affected: koa >= 2.16.2, < 2.16.3
• Fix: koajs/koa@769fd75

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• accounts.google.com
  • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --mute-audio --crashpad-handler-pid=3629 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/puppeteer_dev_chrome_profile-xobZOO --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,2735206694954260423,70858386088397593,262144 --enable-features=PdfOopif --disable-features=AcceptCHFrame,IsolateSandboxedIframes,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /opt/google/chrome/chrome --allow-pre-commit-input --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-crash-reporter --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-REDACTEDing --disable-search-engine-choice-screen --disable-sync --enable-automation --export-tagged-pdf --force-color-profile=srgb --generate-pdf-document-outline --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,IsolateSandboxedIframes --enable-features=PdfOopif --headless=new --hide-scrollbars --mute-audio --remote-debugging-port=0 --user-data-dir=/tmp/puppeteer_dev_chrome_profile-xobZOO --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl about:blank (dns block)
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)
• clients2.google.com
  • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --mute-audio --crashpad-handler-pid=3629 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/puppeteer_dev_chrome_profile-xobZOO --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,2735206694954260423,70858386088397593,262144 --enable-features=PdfOopif --disable-features=AcceptCHFrame,IsolateSandboxedIframes,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /opt/google/chrome/chrome --allow-pre-commit-input --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-crash-reporter --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-REDACTEDing --disable-search-engine-choice-screen --disable-sync --enable-automation --export-tagged-pdf --force-color-profile=srgb --generate-pdf-document-outline --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,IsolateSandboxedIframes --enable-features=PdfOopif --headless=new --hide-scrollbars --mute-audio --remote-debugging-port=0 --user-data-dir=/tmp/puppeteer_dev_chrome_profile-xobZOO --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl about:blank (dns block)
• safebrowsingohttpgateway.googleapis.com
  • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --mute-audio --crashpad-handler-pid=3629 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/puppeteer_dev_chrome_profile-xobZOO --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,2735206694954260423,70858386088397593,262144 --enable-features=PdfOopif --disable-features=AcceptCHFrame,IsolateSandboxedIframes,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /opt/google/chrome/chrome --allow-pre-commit-input --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-crash-reporter --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-REDACTEDing --disable-search-engine-choice-screen --disable-sync --enable-automation --export-tagged-pdf --force-color-profile=srgb --generate-pdf-document-outline --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,IsolateSandboxedIframes --enable-features=PdfOopif --headless=new --hide-scrollbars --mute-audio --remote-debugging-port=0 --user-data-dir=/tmp/puppeteer_dev_chrome_profile-xobZOO --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl about:blank (dns block)
• www.google.com
  • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --mute-audio --crashpad-handler-pid=3629 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/puppeteer_dev_chrome_profile-xobZOO --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,2735206694954260423,70858386088397593,262144 --enable-features=PdfOopif --disable-features=AcceptCHFrame,IsolateSandboxedIframes,MediaRouter,OptimizationHints,PaintHolding,ProcessPerSiteUpToMainFrameThreshold,Translate --variations-seed-version --trace-process-track-uuid=3190708989122997041 (dns block)
  • Triggering command: /opt/google/chrome/chrome --allow-pre-commit-input --disable-REDACTED-networking --disable-REDACTED-timer-throttling --disable-REDACTEDing-occluded-windows --disable-breakpad --disable-client-side-phishing-detection --disable-component-extensions-with-REDACTED-pages --disable-crash-reporter --disable-default-apps --disable-dev-shm-usage --disable-extensions --disable-hang-monitor --disable-infobars --disable-ipc-flooding-protection --disable-popup-blocking --disable-prompt-on-repost --disable-renderer-REDACTEDing --disable-search-engine-choice-screen --disable-sync --enable-automation --export-tagged-pdf --force-color-profile=srgb --generate-pdf-document-outline --metrics-recording-only --no-first-run --password-store=basic --use-mock-keychain --disable-features=Translate,AcceptCHFrame,MediaRouter,OptimizationHints,ProcessPerSiteUpToMainFrameThreshold,IsolateSandboxedIframes --enable-features=PdfOopif --headless=new --hide-scrollbars --mute-audio --remote-debugging-port=0 --user-data-dir=/tmp/puppeteer_dev_chrome_profile-xobZOO --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl about:blank (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Fix CVE-2025-62595: Update koa package to version 2.16.3 or later to resolve Open Redirect vulnerability via Trailing Double-Slash (//) in back Redirect Logic.

This security vulnerability (Dependabot alert #41) affects koa versions >= 2.16.2, < 2.16.3. The issue allows attackers to manipulate the Referer header to force redirects to external malicious websites by exploiting protocol-relative URLs (//evil.com).

Tasks:

1. Run npm update to update all dependencies including transitive dependencies
2. Specifically ensure koa is updated to version 2.16.3 or later if it appears in the dependency tree
3. Run npm audit to verify the vulnerability is resolved
4. Update package-lock.json with the new dependency versions
5. Test that the updates don't break existing functionality

Reference:

• CVE: CVE-2025-62595
• GHSA: GHSA-g8mr-fgfg-5qpc
• Fix commit: koajs/koa@769fd75
• Dependabot alert: /github/browser-support/security/dependabot/41

This pull request was created as a result of the following prompt from Copilot chat.

Fix CVE-2025-62595: Update koa package to version 2.16.3 or later to resolve Open Redirect vulnerability via Trailing Double-Slash (//) in back Redirect Logic.

This security vulnerability (Dependabot alert #41) affects koa versions >= 2.16.2, < 2.16.3. The issue allows attackers to manipulate the Referer header to force redirects to external malicious websites by exploiting protocol-relative URLs (//evil.com).

Tasks:

1. Run npm update to update all dependencies including transitive dependencies
2. Specifically ensure koa is updated to version 2.16.3 or later if it appears in the dependency tree
3. Run npm audit to verify the vulnerability is resolved
4. Update package-lock.json with the new dependency versions
5. Test that the updates don't break existing functionality

Reference:

• CVE: CVE-2025-62595
• GHSA: GHSA-g8mr-fgfg-5qpc
• Fix commit: koajs/koa@769fd75
• Dependabot alert: /github/browser-support/security/dependabot/41

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull Request Overview

This PR updates the Koa package from version 2.16.2 to 2.16.3 to resolve CVE-2025-62595, an open redirect vulnerability affecting protocol-relative URLs in back redirect logic.

• Updated Koa version override from 2.16.2 to 2.16.3
• Regenerated package-lock.json with the patched version
• Added MIT license field to the Koa package entry in package-lock.json

Reviewed Changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updated Koa version override from 2.16.2 to 2.16.3 to address security vulnerability
package-lock.json	Updated Koa dependency metadata with new version, integrity hash, and license field

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[alidusha]

@copilot what does this mean: "Transitive dependency koa 2.16.2 is introduced via
@web/dev-server-esbuild 1.0.4 ... koa 2.16.2
@web/test-runner 0.20.0 ... koa 2.16.2" dependabot said it could nto upgrade from 2.16.2. is this related to the above?

[Copilot]

@copilot what does this mean: "Transitive dependency koa 2.16.2 is introduced via
@web/dev-server-esbuild 1.0.4 ... koa 2.16.2
@web/test-runner 0.20.0 ... koa 2.16.2" dependabot said it could nto ...

Yes, Dependabot was referring to the transitive dependency chain. Koa 2.16.2 was being pulled in via @web/dev-server-core (which is a dependency of @web/dev-server-esbuild and @web/test-runner).

The overrides field in package.json forces npm to use koa 2.16.3 instead of 2.16.2 for all transitive dependencies. This is why the fix works - it overrides the version that would normally be installed by @web/dev-server-core.

Without the override, npm would install koa 2.16.2 (as specified by @web/dev-server-core's dependency), but with the override set to 2.16.3, npm installs the patched version instead. This resolves the vulnerability without needing to wait for the upstream packages to update their dependencies.

Commit: 446cc08