FKIE_CVE-2026-27959

Vulnerability from fkie_nvd - Published: 2026-02-26 02:16 - Updated: 2026-02-28 00:55
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
References
security-advisories@github.comhttps://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6dfPatch
security-advisories@github.comhttps://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfebPatch
security-advisories@github.comhttps://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qmExploit, Vendor Advisory
Impacted products
Vendor Product Version
koajs koa *
koajs koa *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "47B8F313-898E-4B6D-936A-8F35AC7E7C20",
              "versionEndExcluding": "2.16.14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "D5367576-B8D5-45EE-9214-D40A4E6E1049",
              "versionEndExcluding": "3.1.2",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa\u0027s `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."
    },
    {
      "lang": "es",
      "value": "Koa es un middleware para Node.js que utiliza funciones as\u00edncronas de ES2017. Antes de las versiones 3.1.2 y 2.16.4, la API `ctx.hostname` de Koa realiza un an\u00e1lisis ingenuo del encabezado Host HTTP, extrayendo todo lo que precede al primer signo de dos puntos sin validar que la entrada cumpla con la sintaxis de nombre de host de RFC 3986. Cuando se recibe un encabezado Host malformado que contiene un s\u00edmbolo \u0027@\u0027, `ctx.hostname` devuelve \u0027evil[.]com\u0027 - un valor controlado por el atacante. Las aplicaciones que utilizan `ctx.hostname` para la generaci\u00f3n de URL, enlaces de restablecimiento de contrase\u00f1a, URL de verificaci\u00f3n de correo electr\u00f3nico o decisiones de enrutamiento son vulnerables a ataques de inyecci\u00f3n de encabezado Host. Las versiones 3.1.2 y 2.16.4 solucionan el problema."
    }
  ],
  "id": "CVE-2026-27959",
  "lastModified": "2026-02-28T00:55:26.413",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-26T02:16:23.317",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.