Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality (CVE-2026-27959)

Summary Node.js module Koa is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in Node.js modu...

Koa has Host Header Injection via ctx.hostname

Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...

@akash-aw/aw-wizard-forms (=4.14.0), @alfresco/aca-generators (>=1.0.0 <=1.0.1) +134 more potentially affected by CVE-2026-27959 via koa (>=3.0.0 <=3.1.1)

koa NPM version =3.0.0, =1.0.0, =1.0.0, =0.44.0, =0.0.0-nightly-20260213031600, =0.0.0-nightly-20260317031259, =0.0.0-nightly-20260317031259, =0.0.0-nightly-20260213031600, =2025.12.1, =2.23.0, =0.0.1, =0.20.0, =0.0.5, =2026.1.2, =2.0.0, =2.0.1 and more Source cves: CVE-2026-27959 Source advisory...

@akash-aw/aw-wizard-forms (=4.14.0), @alfresco/aca-generators (>=1.0.0 <=1.0.1) +134 more potentially affected by CVE-2026-27959 via koa (>=3.0.0 <=3.1.1)

koa NPM version =3.0.0, =1.0.0, =1.0.0, =0.44.0, =0.0.0-nightly-20260213031600, =0.0.0-nightly-20260317031259, =0.0.0-nightly-20260317031259, =0.0.0-nightly-20260213031600, =2025.12.1, =2.23.0, =0.0.1, =0.20.0, =0.0.5, =2026.1.2, =2.0.0, =2.0.1 and more Source cves: CVE-2026-27959 Source advisory...

CVE-2026-27959 Koa has Host Header Injection via `ctx.hostname`

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed...

@akash-aw/aw-wizard-forms (=4.14.0), @alfresco/aca-generators (>=1.0.0 <=1.0.1) +73 more potentially affected by CVE-2025-62595 via koa (=3.0.1)

koa NPM version =3.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on koa and may be impacted: - @akash-aw/aw-wizard-forms =4.14.0 - @alfresco/aca-generators =1.0.0, =1.0.0, =0.44.0, =2.23.0, =3.10.0, =0.4.0, =0.30.0, =0.3.0, =3.0.0, =0.1.0-next.717,...

@certd/commercial-core (>=1.25.9 <=1.39.13), @certd/lib-server (>=1.36.25 <=1.39.13) +32 more potentially affected by CVE-2025-62595 via koa (=2.16.2)

koa NPM version =2.16.2 is affected by a known vulnerability. The following packages have a transitive dependency on koa and may be impacted: - @certd/commercial-core =1.25.9, =1.36.25, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =0.19.3, =3.20.11,...

koa 输入验证错误漏洞

koa is a Koa.js open source expressive middleware using node.js. An input validation error vulnerability exists in koa version 2.16.2 up to and including version 2.16.3 and version 3.0.1 up to and including version 3.0.3, which stems from incorrect handling of specially crafted URLs and can lead ...

02.koa-demo (=1.0.0), 0510test (=1.0.0) +13096 more potentially affected by unknown CVE via koa (>=0.0.1 <=3.2.0)

koa NPM version =0.0.1, =1.3.7, =1.0.0, =0.0.1, =1.0.0, =1.0.1 - 2-26 =1.0.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-KOA-12143256...

Koa Open Redirect via Referrer Header (User-Controlled)

Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target. Details on the API document https://www.koajs.net/api/responseresponseredirecturl-alt, we can see:...

PT-2025-31355 · Koa · Koa

Name of the Vulnerable Software and Affected Versions: Koa affected versions not specified Description: The back method used for redirect operations in Koa utilizes the user-controllable Referrer header as the redirect target, creating an open redirect condition. The response.redirect function,...

3dshex (>=0.1.0 <=0.5.3), 91jin (>=0.1.4 <=0.1.8) +1906 more potentially affected by CVE-2025-32379 via koa (>=0.0.1 <=2.16.0)

koa NPM version =0.0.1, =0.1.0, =0.1.4, =1.0.0, =1.0.0, =0.1.0, =0.0.4, =3.10.1, =3.7.0, =0.0.1, =0.2.9, =4.25.19-patch.1, =4.25.19-patch.3 - @ant-design-vue/tools =1.0.1 and more Source cves: CVE-2025-32379 Source advisory: OSV:GHSA-X2RG-Q646-7M2V...

Denial Of Service (DoS)

Koa is vulnerable to Denial of Service. The vulnerability is due to inefficient regular expression processing due to the use of an overly complex regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers, which can be exploited to cause excessive resource consumption...

@24hr/content-next (>=1.0.0 <=3.0.17), @akanjs/config (>=0.0.4 <=0.0.16) +852 more potentially affected by CVE-2025-25200 via koa (>=2.0.0 <=2.15.3)

koa NPM version =2.0.0, =1.0.0, =0.0.4, =3.10.1, =3.7.0, =0.2.9, =4.25.19-patch.1, =0.0.1, =0.0.1, =0.0.50, =0.0.7, =1.0.1, =1.0.17 - @avorati/strapi-plugin-preview =1.0.1 and more Source cves: CVE-2025-25200 Source advisory: OSV:GHSA-593F-38F6-JP5M...

@oberd/olive-middleware-koa (>=1.2.7 <=1.3.2), @ysdn/admin (>=1.0.0 <=1.0.2) +149 more potentially affected by CVE-2025-25200 via koa (>=0.0.1 <=0.21.0)

koa NPM version =0.0.1, =1.2.7, =1.0.0, =0.0.0, =0.0.1, =1.0.0, =0.1.0, =0.1.0, =0.2.0 - bonojs =0.1.0 and more Source cves: CVE-2025-25200 Source advisory: OSV:GHSA-593F-38F6-JP5M...

Koa 安全漏洞

Koa is an open source middleware for Koa.js. A security vulnerability exists in Koa that stems from the use of malicious regular expressions to parse X-Forwarded-Proto and X-Forwarded-HostHTTP headers...