VYPR
Vendor

Koajs

Products
2
CVEs
6
Across products
6
Status
Private

Products

2

Recent CVEs

6
  • CVE-2026-27959HigFeb 26, 2026
    risk 0.42cvss 7.5epss 0.00

    Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname…

  • CVE-2026-9495HigMay 26, 2026
    risk 0.40cvss 7.3epss 0.00

    Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed…

  • CVE-2025-8129LowJul 25, 2025
    risk 0.16cvss 3.5epss 0.00

    A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch…

  • CVE-2025-62595Oct 21, 2025
    risk 0.00cvss epss 0.00

    Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker…

  • CVE-2025-32379Apr 9, 2025
    risk 0.00cvss epss 0.00

    Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and…

  • CVE-2025-25200Feb 12, 2025
    risk 0.00cvss epss 0.01

    Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service…