koa
npm5 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting koapage 1 of 1
- CVE-2025-25200HIGHCVSS 7.5EG 7.5✓ Fixed in 0.21.22025-02-12
Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exp…
- CVE-2025-32379MEDIUMCVSS 5.0EG 5.0✓ Fixed in 3.0.0-alpha.52025-04-09
Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. T…
- CVE-2025-62595MEDIUMCVSS 6.1EG 4.3✓ Fixed in 2.16.32025-10-21
Koa is expressive middleware for Node.js using ES2017 async functions. In versions 2.16.2 to before 2.16.3 and 3.0.1 to before 3.0.3, a bypass to CVE-2025-8129 was discovered in the Koa.js framework affecting its back redirect functionalit…
- CVE-2025-8129MEDIUMCVSS 6.1EG 3.5✓ Fixed in 3.0.12025-07-25
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to…
- CVE-2026-27959HIGHCVSS 7.5EG 7.5✓ Fixed in 2.16.42026-02-26
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the in…
Check whether koa is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for koa CVEs against the assets you own.
Start Free Scan →