CVE-2026-27959

High CVSS: 7.5

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.

Vendor

Koajs

Product

Koa

CWE

CWE-20

Yayın Tarihi

2026-02-26 02:16:23

Güncelleme

2026-02-28 00:55:26

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-20 Koa HIGH Koajs 2026

Referanslar

https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm

Benzer Kayıtlar

Medium

CVE-2025-62595

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to…

Medium

CVE-2025-8129

A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back…

Medium

CVE-2025-32379

Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untr…

Critical

CVE-2025-25200

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.…