CVE-2026-27959
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol is received, ctx.hostname returns evil[.]com - an attacker-controlled value. Applications using ctx.hostname for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| koajs | koa | >= 3.0.0, < 3.1.2 | affected |
| koajs | koa | < 2.16.4 | affected |
Weaknesses
- CWE-20: CWE-20: Improper Input Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
koa: Koa: Host header injection vulnerability due to malformed HTTP Host header parsing
Additional References
- https://access.redhat.com/security/cve/CVE-2026-27959
- https://bugzilla.redhat.com/show_bug.cgi?id=2442928
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-27959.json
- https://access.redhat.com/errata/RHSA-2026:10184
- https://access.redhat.com/errata/RHSA-2026:7249
References
- https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm
- https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df
- https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.