Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
5.4

CVE-2021-23384: Koa Remove Trailing Slashes Allows URL Hijacking

GHSA-r773-pmw3-f4mr CVE-2021-23384
Summary

Koa Remove Trailing Slashes versions before 2.0.2 contain a security flaw that lets attackers redirect users to malicious websites. This affects websites using Koa Remove Trailing Slashes, which rely on absolute URLs to prevent such attacks. Update to version 2.0.2 or later to fix this issue.

What to do
  • Update pakerstrand koa-remove-trailing-slashes to version 2.0.2.
Affected software
Ecosystem VendorProductAffected versions
npm pakerstrand koa-remove-trailing-slashes < 2.0.2
Fix: upgrade to 2.0.2
– koa-remove-trailing-slashes_project koa-remove-trailing-slashes < 2.0.2
cpe:2.3:a:koa-remove-trailing-slashes_project:koa-remove-trailing-slashes:*:*:*:*:*:node.js:*:*
Original title
The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://exampl...
Original description
The package koa-remove-trailing-slashes before 2.0.2 are vulnerable to Open Redirect via the use of trailing double slashes in the URL when accessing the vulnerable endpoint (such as https://example.com//attacker.example/). The vulnerable code is in index.js::removeTrailingSlashes(), as the web server uses relative URLs instead of absolute URLs.
ghsa CVSS3.1 5.4
Vulnerability type
CWE-601 Open Redirect
Published: 17 May 2021 · Updated: 15 Jun 2026 · First seen: 6 Mar 2026