Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/803356?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/803356?format=api", "purl": "pkg:npm/koa@0.5.4", "type": "npm", "namespace": "", "name": "koa", "version": "0.5.4", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.16.4", "latest_non_vulnerable_version": "3.1.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57118?format=api", "vulnerability_id": "VCID-dag4-3xut-xffu", "summary": "Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function\nIn koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32379.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32379.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32379", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54677", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54675", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54685", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54678", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00311", "scoring_system": "epss", "scoring_elements": "0.54657", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-32379" }, { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312", "reference_id": "", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-09T17:29:51Z/" } ], "url": "https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358649", "reference_id": "2358649", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2358649" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32379", "reference_id": "CVE-2025-32379", "reference_type": "", "scores": [ { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32379" }, { "reference_url": "https://github.com/advisories/GHSA-x2rg-q646-7m2v", "reference_id": "GHSA-x2rg-q646-7m2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x2rg-q646-7m2v" }, { "reference_url": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v", "reference_id": "GHSA-x2rg-q646-7m2v", "reference_type": "", "scores": [ { "value": "5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "5.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-09T17:29:51Z/" } ], "url": "https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84811?format=api", "purl": "pkg:npm/koa@2.16.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gwgu-xdj8-zkfv" }, { "vulnerability": "VCID-vm7u-chey-7be3" }, { "vulnerability": "VCID-ypnn-yfx7-wycp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.16.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/84812?format=api", "purl": "pkg:npm/koa@3.0.0-alpha.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-gwgu-xdj8-zkfv" }, { "vulnerability": "VCID-vm7u-chey-7be3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.0-alpha.5" } ], "aliases": [ "CVE-2025-32379", "GHSA-x2rg-q646-7m2v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dag4-3xut-xffu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/57712?format=api", "vulnerability_id": "VCID-gwgu-xdj8-zkfv", "summary": "Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled)\n### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-jgmv-j7ww-jx2x. This link is maintained to preserve external references.\n\n### Original Description\nA vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.", "references": [ { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0" }, { "reference_url": "https://github.com/koajs/koa/issues/1892", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa/issues/1892" }, { "reference_url": "https://github.com/koajs/koa/issues/1892#issue-3213028583", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa/issues/1892#issue-3213028583" }, { "reference_url": "https://vuldb.com/?ctiid.317514", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?ctiid.317514" }, { "reference_url": "https://vuldb.com/?id.317514", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?id.317514" }, { "reference_url": "https://vuldb.com/?submit.619741", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://vuldb.com/?submit.619741" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8129", "reference_id": "CVE-2025-8129", "reference_type": "", "scores": [ { "value": "3.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" }, { "value": "2.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8129" }, { "reference_url": "https://github.com/advisories/GHSA-mvw6-62qv-vmqf", "reference_id": "GHSA-mvw6-62qv-vmqf", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mvw6-62qv-vmqf" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71032?format=api", "purl": "pkg:npm/koa@3.0.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9unx-nbx3-4ub9" }, { "vulnerability": "VCID-ypnn-yfx7-wycp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.1" } ], "aliases": [ "GHSA-mvw6-62qv-vmqf" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gwgu-xdj8-zkfv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56654?format=api", "vulnerability_id": "VCID-tn9e-shkk-q3cn", "summary": "Inefficient Regular Expression Complexity in koa\nKoa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-25200", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66199", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66197", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66179", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66192", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00496", "scoring_system": "epss", "scoring_elements": "0.66208", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-25200" }, { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c" }, { "reference_url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32" }, { "reference_url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08" }, { "reference_url": "https://github.com/koajs/koa/releases/tag/2.15.4", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/releases/tag/2.15.4" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25200", "reference_id": "CVE-2025-25200", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25200" }, { "reference_url": "https://github.com/advisories/GHSA-593f-38f6-jp5m", "reference_id": "GHSA-593f-38f6-jp5m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-593f-38f6-jp5m" }, { "reference_url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m", "reference_id": "GHSA-593f-38f6-jp5m", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m" }, { "reference_url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259", "reference_id": "request.js#L259", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259" }, { "reference_url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404", "reference_id": "request.js#L404", "reference_type": "", "scores": [ { "value": "9.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T18:33:35Z/" } ], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/84104?format=api", "purl": "pkg:npm/koa@0.21.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dag4-3xut-xffu" }, { "vulnerability": "VCID-gwgu-xdj8-zkfv" }, { "vulnerability": "VCID-ypnn-yfx7-wycp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@0.21.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/84103?format=api", "purl": "pkg:npm/koa@1.7.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dag4-3xut-xffu" }, { "vulnerability": "VCID-gwgu-xdj8-zkfv" }, { "vulnerability": "VCID-ypnn-yfx7-wycp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@1.7.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/84101?format=api", "purl": "pkg:npm/koa@2.15.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dag4-3xut-xffu" }, { "vulnerability": "VCID-gwgu-xdj8-zkfv" }, { "vulnerability": "VCID-vm7u-chey-7be3" }, { "vulnerability": "VCID-ypnn-yfx7-wycp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.15.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/84102?format=api", "purl": "pkg:npm/koa@3.0.0-alpha.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-dag4-3xut-xffu" }, { "vulnerability": "VCID-gwgu-xdj8-zkfv" }, { "vulnerability": "VCID-vm7u-chey-7be3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.0.0-alpha.3" } ], "aliases": [ "CVE-2025-25200", "GHSA-593f-38f6-jp5m" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tn9e-shkk-q3cn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50419?format=api", "vulnerability_id": "VCID-ypnn-yfx7-wycp", "summary": "Koa has Host Header Injection via ctx.hostname\nKoa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol (e.g., `evil.com:fake@legitimate.com`) is received, `ctx.hostname` returns `evil.com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-27959.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27959", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.31241", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.31318", "published_at": "2026-06-05T12:55:00Z" }, { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.31285", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.31249", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00125", "scoring_system": "epss", "scoring_elements": "0.31218", "published_at": "2026-06-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27959" }, { "reference_url": "https://github.com/koajs/koa", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/koajs/koa" }, { "reference_url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/" } ], "url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df" }, { "reference_url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/" } ], "url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442928", "reference_id": "2442928", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442928" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27959", "reference_id": "CVE-2026-27959", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27959" }, { "reference_url": "https://github.com/advisories/GHSA-7gcc-r8m5-44qm", "reference_id": "GHSA-7gcc-r8m5-44qm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7gcc-r8m5-44qm" }, { "reference_url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "reference_id": "GHSA-7gcc-r8m5-44qm", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-26T19:31:17Z/" } ], "url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:10184", "reference_id": "RHSA-2026:10184", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:10184" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:7249", "reference_id": "RHSA-2026:7249", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:7249" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74306?format=api", "purl": "pkg:npm/koa@2.16.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@2.16.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/74305?format=api", "purl": "pkg:npm/koa@3.1.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@3.1.2" } ], "aliases": [ "CVE-2026-27959", "GHSA-7gcc-r8m5-44qm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ypnn-yfx7-wycp" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/koa@0.5.4" }