VYPR

Koa

by Koajs

npm: koa

Source repositories

CVEs (5)

  • CVE-2026-27959HigFeb 26, 2026
    risk 0.42cvss 7.5epss 0.00

    Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname…

  • CVE-2025-8129LowJul 25, 2025
    risk 0.16cvss 3.5epss 0.00

    A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch…

  • CVE-2025-62595Oct 21, 2025
    risk 0.00cvss epss 0.00

    Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker…

  • CVE-2025-32379Apr 9, 2025
    risk 0.00cvss epss 0.00

    Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and…

  • CVE-2025-25200Feb 12, 2025
    risk 0.00cvss epss 0.01

    Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service…