HIGH🇵🇱 Wersja polska

CVE-2026-27959

CVSS 7.5v3.1pub. 2026-02-26upd. 2026-06-30

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • Koajs Koa

    APP
    Koajs
    < 2.16.43.0.0 – 3.1.2 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-25200CRITICAL9.2PL ✓ten sam produkt

Atak DoS przez podatność ReDoS w nagłówkach HTTP w Koa (Node.js)

CVE-2025-62595MEDIUM4.3ten sam produkt

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and...

CVE-2025-32379MEDIUM5.0ten sam produkt

Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, pa...

CVE-2025-8129LOW2.0ten sam produkt

A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the func...

CVE-2023-49803HIGH8.6ten sam vendor

@koa/cors npm provides Cross-Origin Resource Sharing (CORS) for koa, a web framework for Node.js. Prior to ver...