CVE-2025-25200
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-25200
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25200.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-25200
- Aliases
- Published
- 2025-02-12T17:59:04Z
- Modified
- 2025-10-15T22:54:51.179Z
- Severity
-
- 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
- Summary
- Koa has Inefficient Regular Expression Complexity
- Details
-
Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the
X-Forwarded-ProtoandX-Forwarded-HostHTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue. - References
-
- https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m
- https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c
- https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32
- https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08
- https://github.com/koajs/koa/blob/master/lib/request.js#L259
- https://github.com/koajs/koa/blob/master/lib/request.js#L404
- https://github.com/koajs/koa/releases/tag/2.15.4
Affected packages
Git / github.com/koajs/koa
Affected ranges
- Type
- GIT
- Repo
- https://github.com/koajs/koa
- Events
- Type
- GIT
- Repo
- https://github.com/koajs/koa
- Events
Affected versions
1.*
1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0
1.4.0
1.4.1
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2
1.7.0
2.*
2.0.0-alpha.1
2.0.0-alpha.2
2.0.0-alpha.3
2.0.0-alpha.4
2.0.0-alpha.5
2.0.0-alpha.6
2.0.0-alpha.7
2.0.0-alpha.8
2.0.1
2.1.0
2.10.0
2.11.0
2.12.0
2.12.1
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.14.0
2.14.1
2.14.2
2.15.0
2.15.1
2.15.2
2.15.3
2.3.0
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.0
2.8.0
2.8.1
2.8.2
2.9.0