Vulnerability Description
The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Koa-Remove-Trailing-Slashes Project | Koa-Remove-Trailing-Slashes | < 2.0.2 |
Related Weaknesses (CWE)
References
- https://github.com/vgno/koa-remove-trailing-slashes/blame/6a01ba8fd019bd3ece4487Broken Link
- https://snyk.io/vuln/SNYK-JS-KOAREMOVETRAILINGSLASHES-1085708ExploitThird Party Advisory
- https://github.com/vgno/koa-remove-trailing-slashes/blame/6a01ba8fd019bd3ece4487Broken Link
- https://snyk.io/vuln/SNYK-JS-KOAREMOVETRAILINGSLASHES-1085708ExploitThird Party Advisory
FAQ
What is CVE-2021-23384?
CVE-2021-23384 is a vulnerability with a CVSS score of 5.4 (MEDIUM). The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.c...
How severe is CVE-2021-23384?
CVE-2021-23384 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23384?
Check the references section above for vendor advisories and patch information. Affected products include: Koa-Remove-Trailing-Slashes Project Koa-Remove-Trailing-Slashes.