Search for packages
| purl | pkg:npm/koa@0.5.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-dag4-3xut-xffu
Aliases: CVE-2025-32379 GHSA-x2rg-q646-7m2v |
Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. |
Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-gwgu-xdj8-zkfv
Aliases: GHSA-mvw6-62qv-vmqf |
Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled) ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references. ### Original Description A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. |
Affected by 2 other vulnerabilities. |
|
VCID-tn9e-shkk-q3cn
Aliases: CVE-2025-25200 GHSA-593f-38f6-jp5m |
Inefficient Regular Expression Complexity in koa Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-ypnn-yfx7-wycp
Aliases: CVE-2026-27959 GHSA-7gcc-r8m5-44qm |
Koa has Host Header Injection via ctx.hostname Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol (e.g., `evil.com:fake@legitimate.com`) is received, `ctx.hostname` returns `evil.com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T07:05:48.246456+00:00 | GitLab Importer | Affected by | VCID-ypnn-yfx7-wycp | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/koa/CVE-2026-27959.yml | 38.6.0 |
| 2026-06-06T05:56:24.417035+00:00 | GitLab Importer | Affected by | VCID-gwgu-xdj8-zkfv | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/koa/GHSA-mvw6-62qv-vmqf.yml | 38.6.0 |
| 2026-06-06T05:46:38.231044+00:00 | GitLab Importer | Affected by | VCID-dag4-3xut-xffu | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/koa/CVE-2025-32379.yml | 38.6.0 |
| 2026-06-06T05:39:42.316081+00:00 | GitLab Importer | Affected by | VCID-tn9e-shkk-q3cn | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/koa/CVE-2025-25200.yml | 38.6.0 |