CVE-2025-25200

Summary

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.

Affected Software

VendorProductVersion RangeStatus
koajskoa< 0.21.2affected
koajskoa>= 1.0.0, < 1.7.1affected
koajskoa>= 2.0.0-alpha.1, < 2.15.4affected
koajskoa>= 3.0.0-alpha.0, < < 3.0.0-alpha.3affected

Weaknesses

  • CWE-1333: CWE-1333: Inefficient Regular Expression Complexity

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References