EUVD-2026-25618

Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...

EUVD-2026-8816

Koa has Host Header Injection via ctx.hostname...

GHSA-7GCC-R8M5-44QM Koa has Host Header Injection via ctx.hostname

Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...

HTTP Header Injection

Overview org.webjars.npm:koa is a Koa web app framework Affected versions of this package are vulnerable to HTTP Header Injection via the hostname function in the. request.js file. An attacker can manipulate the value hostname by sending a specially crafted HTTP Host header containing an @ symbol...

HTTP Header Injection

Overview koa is a Koa web app framework Affected versions of this package are vulnerable to HTTP Header Injection via the hostname function in the. request.js file. An attacker can manipulate the value hostname by sending a specially crafted HTTP Host header containing an @ symbol, which can lead...

CVE-2026-27959

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed...

CVE-2026-27959

Koa (Node.js) prior to versions 3.1.2 and 2.16.4 exposes a vulnerability in ctx.hostname: it naively parses the Host header and returns an attacker-controlled value when the header contains an invalid RFC 3986 hostname (e.g., with a @). This can affect URL generation, password reset links, email ...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.11.1 Vulnerability Details CVEID:CVE-2025-8129 DESCRIPTION: A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js o...

SUSE CVE-2025-62595

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate th...

CVE-2025-62595

A flaw was found in Koa. A bypass of CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This...

CVE-2025-62595

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate th...

CVE-2025-62595 Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate th...

EUVD-2025-35182

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate th...

CVE-2025-62595 Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate th...

CVE-2025-62595

KoaJS CVE-2025-62595 affects Koa until patched: versions 2.16.2–2.16.2.x before 2.16.3 and 3.0.1–3.0.2.x before 3.0.3 are vulnerable to a Referer header bypass that can force user redirects to external sites via back redirect in the HTTP header handling. Root cause: some crafted URLs are treated ...

CVE-2025-62595 Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic

Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate th...

Open Redirect

Overview koa is a Koa web app framework Affected versions of this package are vulnerable to Open Redirect via the "back redirect" functionality. An attacker can cause users to be redirected to an external, attacker-controlled domain by supplying a specially crafted Referer header containing a...

Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic

Summary: A bypass was discovered in the Koa.js framework affecting its back redirect functionality. In certain circumstances, an attacker can manipulate the Referer header to force a user’s browser to navigate to an external, potentially malicious website. This occurs because the implementation...

PT-2025-42905

Name of the Vulnerable Software and Affected Versions Koa versions 2.16.2 through 2.16.3 Koa versions 3.0.1 through 3.0.3 Description The Koa framework contains a flaw in its back redirect functionality. An attacker can manipulate the Referer header to redirect a user’s browser to a malicious...

Open Redirect

Amendment This was deemed not a vulnerability. Overview org.webjars.npm:koa is a Koa web app framework Affected versions of this package are vulnerable to Open Redirect via the redirect function in lib/response.js due to improper input sanitization. An attacker can redirect users to arbitrary...