CVE-2025-25200

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-25200
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25200.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-25200
Aliases
Published
2025-02-12T17:59:04Z
Modified
2025-10-15T22:54:51.179Z
Severity
  • 9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H CVSS Calculator
Summary
Koa has Inefficient Regular Expression Complexity
Details

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.

References

Affected packages

Git / github.com/koajs/koa

Affected ranges

Type
GIT
Repo
https://github.com/koajs/koa
Events
Type
GIT
Repo
https://github.com/koajs/koa
Events

Affected versions

1.*

1.0.0
1.1.0
1.1.1
1.1.2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.3.0
1.4.0
1.4.1
1.5.0
1.5.1
1.6.0
1.6.1
1.6.2
1.7.0

2.*

2.0.0-alpha.1
2.0.0-alpha.2
2.0.0-alpha.3
2.0.0-alpha.4
2.0.0-alpha.5
2.0.0-alpha.6
2.0.0-alpha.7
2.0.0-alpha.8
2.0.1
2.1.0
2.10.0
2.11.0
2.12.0
2.12.1
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.14.0
2.14.1
2.14.2
2.15.0
2.15.1
2.15.2
2.15.3
2.3.0
2.4.0
2.4.1
2.5.0
2.5.1
2.5.2
2.5.3
2.6.0
2.6.1
2.6.2
2.7.0
2.8.0
2.8.1
2.8.2
2.9.0

Database specific

{
    "unresolved_versions": [
        {
            "type": "",
            "events": [
                {
                    "introduced": "0"
                },
                {
                    "fixed": "0.21.2"
                }
            ]
        },
        {
            "type": "",
            "events": [
                {
                    "introduced": "0"
                },
                {
                    "last_affected": ">= 3.0.0-alpha.0, < < 3.0.0-alpha.3"
                }
            ]
        }
    ]
}