Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/782292?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/782292?format=api", "purl": "pkg:npm/koa@2.5.0", "type": "npm", "namespace": "", "name": "koa", "version": "2.5.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.16.4", "latest_non_vulnerable_version": "3.1.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/26509?format=api", "vulnerability_id": "VCID-5gp2-g6du-qbf5", "summary": "", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8129.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-8129.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-8129", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49819", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49677", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49832", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49813", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-8129" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0" }, { "reference_url": "https://github.com/koajs/koa/security/advisories/GHSA-jgmv-j7ww-jx2x", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa/security/advisories/GHSA-jgmv-j7ww-jx2x" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54420", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54420" }, { "reference_url": "https://github.com/koajs/koa/issues/1892", "reference_id": "1892", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T12:01:50Z/" } ], "url": "https://github.com/koajs/koa/issues/1892" }, { "reference_url": "https://github.com/koajs/koa/issues/1892#issue-3213028583", "reference_id": "1892#issue-3213028583", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T12:01:50Z/" } ], "url": "https://github.com/koajs/koa/issues/1892#issue-3213028583" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2383344", "reference_id": "2383344", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2383344" }, { "reference_url": "https://vuldb.com/?ctiid.317514", "reference_id": "?ctiid.317514", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T12:01:50Z/" } ], "url": "https://vuldb.com/?ctiid.317514" }, { "reference_url": "https://github.com/advisories/GHSA-jgmv-j7ww-jx2x", "reference_id": "GHSA-jgmv-j7ww-jx2x", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jgmv-j7ww-jx2x" }, { "reference_url": "https://vuldb.com/?id.317514", "reference_id": "?id.317514", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T12:01:50Z/" } ], "url": "https://vuldb.com/?id.317514" }, { "reference_url": "https://vuldb.com/?submit.619741", "reference_id": "?submit.619741", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv2", "scoring_elements": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR" }, { "value": "3.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-25T12:01:50Z/" } ], "url": "https://vuldb.com/?submit.619741" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34668?format=api", "purl": "pkg:npm/koa@2.16.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3kes-m2ce-tbee" }, { "vulnerability": "VCID-qq94-5gw2-qyd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.16.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/34661?format=api", "purl": "pkg:npm/koa@3.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3kes-m2ce-tbee" }, { "vulnerability": "VCID-qq94-5gw2-qyd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.1" } ], "aliases": [ "CVE-2025-8129", "GHSA-jgmv-j7ww-jx2x" ], "risk_score": 2.8, "exploitability": "0.5", "weighted_severity": "5.5", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5gp2-g6du-qbf5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/360747?format=api", "vulnerability_id": "VCID-h551-ugxx-tyhy", "summary": "Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled)\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references.\n\n### Original Description\nA vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.", "references": [ { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8129", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8129" }, { "reference_url": "https://github.com/advisories/GHSA-mvw6-62qv-vmqf", "reference_id": "GHSA-mvw6-62qv-vmqf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mvw6-62qv-vmqf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34661?format=api", "purl": "pkg:npm/koa@3.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3kes-m2ce-tbee" }, { "vulnerability": "VCID-qq94-5gw2-qyd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.1" } ], "aliases": [ "GHSA-mvw6-62qv-vmqf" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h551-ugxx-tyhy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/89408?format=api", "vulnerability_id": "VCID-juvd-sv1b-hqa7", "summary": "Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-25200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66351", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66245", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.6634", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66353", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-25200" }, { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25200", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25200" }, { "reference_url": "https://github.com/koajs/koa/releases/tag/2.15.4", "reference_id": "2.15.4", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/releases/tag/2.15.4" }, { "reference_url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "reference_id": "5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c" }, { "reference_url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32", "reference_id": "5f294bb1c7c8d9c61904378d250439a321bffd32", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32" }, { "reference_url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08", "reference_id": "93fe903fc966635a991bcf890cfc3427d33a1a08", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08" }, { "reference_url": "https://github.com/advisories/GHSA-593f-38f6-jp5m", "reference_id": "GHSA-593f-38f6-jp5m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-593f-38f6-jp5m" }, { "reference_url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m", "reference_id": "GHSA-593f-38f6-jp5m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m" }, { "reference_url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259", "reference_id": "request.js#L259", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259" }, { "reference_url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404", "reference_id": "request.js#L404", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/377406?format=api", "purl": "pkg:npm/koa@2.15.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5gp2-g6du-qbf5" }, { "vulnerability": "VCID-h551-ugxx-tyhy" }, { "vulnerability": "VCID-krub-gxtb-8ycd" }, { "vulnerability": "VCID-qq94-5gw2-qyd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.15.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/377407?format=api", "purl": "pkg:npm/koa@3.0.0-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5gp2-g6du-qbf5" }, { "vulnerability": "VCID-h551-ugxx-tyhy" }, { "vulnerability": "VCID-krub-gxtb-8ycd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.0-alpha.3" } ], "aliases": [ "CVE-2025-25200", "GHSA-593f-38f6-jp5m" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-juvd-sv1b-hqa7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/114549?format=api", "vulnerability_id": "VCID-krub-gxtb-8ycd", "summary": "Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32379.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32379.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32379", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54872", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54888", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54748", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54871", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32379" }, { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32379", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32379" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358649", "reference_id": "2358649", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358649" }, { "reference_url": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312", "reference_id": "ff25eb4a7f2392df46481fe86355161067687312", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-09T17:29:51Z/" } ], "url": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312" }, { "reference_url": "https://github.com/advisories/GHSA-x2rg-q646-7m2v", "reference_id": "GHSA-x2rg-q646-7m2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x2rg-q646-7m2v" }, { "reference_url": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v", "reference_id": "GHSA-x2rg-q646-7m2v", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-09T17:29:51Z/" } ], "url": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/376254?format=api", "purl": "pkg:npm/koa@2.16.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5gp2-g6du-qbf5" }, { "vulnerability": "VCID-h551-ugxx-tyhy" }, { "vulnerability": "VCID-qq94-5gw2-qyd6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.16.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/376255?format=api", "purl": "pkg:npm/koa@3.0.0-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-5gp2-g6du-qbf5" }, { "vulnerability": "VCID-h551-ugxx-tyhy" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.0-alpha.5" } ], "aliases": [ "CVE-2025-32379", "GHSA-x2rg-q646-7m2v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-krub-gxtb-8ycd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80069?format=api", "vulnerability_id": "VCID-qq94-5gw2-qyd6", "summary": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27959", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.31496", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.31286", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.31478", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27959" }, { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442928", "reference_id": "2442928", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442928" }, { "reference_url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "reference_id": "55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/" } ], "url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df" }, { "reference_url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "reference_id": "b76ddc01fdb703e51652b0fd131d16394cadcfeb", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/" } ], "url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27959", "reference_id": "CVE-2026-27959", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27959" }, { "reference_url": "https://github.com/advisories/GHSA-7gcc-r8m5-44qm", "reference_id": "GHSA-7gcc-r8m5-44qm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7gcc-r8m5-44qm" }, { "reference_url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "reference_id": "GHSA-7gcc-r8m5-44qm", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/" } ], "url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7249", "reference_id": "RHSA-2026:7249", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7249" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/39941?format=api", "purl": "pkg:npm/koa@2.16.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.16.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/39940?format=api", "purl": "pkg:npm/koa@3.1.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.1.2" } ], "aliases": [ "CVE-2026-27959", "GHSA-7gcc-r8m5-44qm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qq94-5gw2-qyd6" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.5.0" }