{"url":"http://public2.vulnerablecode.io/api/packages/793118?format=json","purl":"pkg:npm/koa@2.0.0-alpha.2","type":"npm","namespace":"","name":"koa","version":"2.0.0-alpha.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"2.16.4","latest_non_vulnerable_version":"3.1.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/360747?format=json","vulnerability_id":"VCID-h551-ugxx-tyhy","summary":"Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled)\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references.\n\n### Original Description\nA vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.","references":[{"reference_url":"https://github.com/koajs/koa","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/koajs/koa"},{"reference_url":"https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8129","reference_id":"","reference_type":"","scores":[{"value":"3.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"},{"value":"2.0","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8129"},{"reference_url":"https://github.com/advisories/GHSA-mvw6-62qv-vmqf","reference_id":"GHSA-mvw6-62qv-vmqf","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-mvw6-62qv-vmqf"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/34661?format=json","purl":"pkg:npm/koa@3.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3kes-m2ce-tbee"},{"vulnerability":"VCID-qq94-5gw2-qyd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.1"}],"aliases":["GHSA-mvw6-62qv-vmqf"],"risk_score":1.6,"exploitability":"0.5","weighted_severity":"3.1","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h551-ugxx-tyhy"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/114549?format=json","vulnerability_id":"VCID-krub-gxtb-8ycd","summary":"Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. This issue is patched in 2.16.1 and 3.0.0-alpha.5.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32379.json","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32379.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32379","reference_id":"","reference_type":"","scores":[{"value":"0.00311","scoring_system":"epss","scoring_elements":"0.54872","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00311","scoring_system":"epss","scoring_elements":"0.54888","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00311","scoring_system":"epss","scoring_elements":"0.54748","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00311","scoring_system":"epss","scoring_elements":"0.54871","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-32379"},{"reference_url":"https://github.com/koajs/koa","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/koajs/koa"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32379","reference_id":"","reference_type":"","scores":[{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32379"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2358649","reference_id":"2358649","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2358649"},{"reference_url":"https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312","reference_id":"ff25eb4a7f2392df46481fe86355161067687312","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-09T17:29:51Z/"}],"url":"https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312"},{"reference_url":"https://github.com/advisories/GHSA-x2rg-q646-7m2v","reference_id":"GHSA-x2rg-q646-7m2v","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x2rg-q646-7m2v"},{"reference_url":"https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v","reference_id":"GHSA-x2rg-q646-7m2v","reference_type":"","scores":[{"value":"5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"5.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-09T17:29:51Z/"}],"url":"https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376254?format=json","purl":"pkg:npm/koa@2.16.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5gp2-g6du-qbf5"},{"vulnerability":"VCID-h551-ugxx-tyhy"},{"vulnerability":"VCID-qq94-5gw2-qyd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.16.1"},{"url":"http://public2.vulnerablecode.io/api/packages/376255?format=json","purl":"pkg:npm/koa@3.0.0-alpha.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5gp2-g6du-qbf5"},{"vulnerability":"VCID-h551-ugxx-tyhy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.0-alpha.5"}],"aliases":["CVE-2025-32379","GHSA-x2rg-q646-7m2v"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-krub-gxtb-8ycd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80069?format=json","vulnerability_id":"VCID-qq94-5gw2-qyd6","summary":"Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json","reference_id":"","reference_type":"","scores":[{"value":"8.2","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27959","reference_id":"","reference_type":"","scores":[{"value":"0.00125","scoring_system":"epss","scoring_elements":"0.31496","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00125","scoring_system":"epss","scoring_elements":"0.31286","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00125","scoring_system":"epss","scoring_elements":"0.31478","published_at":"2026-06-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-27959"},{"reference_url":"https://github.com/koajs/koa","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/koajs/koa"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442928","reference_id":"2442928","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2442928"},{"reference_url":"https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df","reference_id":"55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/"}],"url":"https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df"},{"reference_url":"https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb","reference_id":"b76ddc01fdb703e51652b0fd131d16394cadcfeb","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/"}],"url":"https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27959","reference_id":"CVE-2026-27959","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27959"},{"reference_url":"https://github.com/advisories/GHSA-7gcc-r8m5-44qm","reference_id":"GHSA-7gcc-r8m5-44qm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7gcc-r8m5-44qm"},{"reference_url":"https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm","reference_id":"GHSA-7gcc-r8m5-44qm","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/"}],"url":"https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:10184","reference_id":"RHSA-2026:10184","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:10184"},{"reference_url":"https://access.redhat.com/errata/RHSA-2026:7249","reference_id":"RHSA-2026:7249","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2026:7249"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/39941?format=json","purl":"pkg:npm/koa@2.16.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.16.4"},{"url":"http://public2.vulnerablecode.io/api/packages/39940?format=json","purl":"pkg:npm/koa@3.1.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.1.2"}],"aliases":["CVE-2026-27959","GHSA-7gcc-r8m5-44qm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qq94-5gw2-qyd6"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.0.0-alpha.2"}