CVE-2026-27959

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-27959

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27959.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-27959

Aliases

GHSA-7gcc-r8m5-44qm

Published

2026-02-26T01:45:45.668Z

Modified

2026-03-03T02:56:51.598949Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

Koa has Host Header Injection via `ctx.hostname`

Details

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol is received, ctx.hostname returns evil[.]com - an attacker-controlled value. Applications using ctx.hostname for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27959.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-20"
    ]
}

References

Affected packages

Git / github.com/koajs/koa

Affected ranges

Type

GIT

Repo

https://github.com/koajs/koa

Events

Introduced

ead934d8f2e36244336d67ad075c6b2faf4e7267

Fixed

c5a52e056d61afa012a08d3aa89a59bce5ccbf1b

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.1.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/koajs/koa

Events

Introduced

Fixed

ca76ea6a4f2f49fb75575730404da146f66cb43c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.16.4"
        }
    ]
}

Affected versions

0.*

0.0.2

0.1.0

0.1.1

0.1.2

0.10.0

0.11.0

0.12.0

0.12.1

0.12.2

0.13.0

0.14.0

0.15.0

0.16.0

0.17.0

0.18.0

0.18.1

0.19.0

0.19.1

0.2.0

0.2.1

0.20.0

0.21.0

0.3.0

0.4.0

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.6.0

0.6.1

0.6.2

0.6.3

0.7.0

0.8.0

0.8.1

0.8.2

0.9.0

1.*

1.0.0

1.1.0

2.*

2.0.0-alpha.1

2.0.0-alpha.2

2.0.0-alpha.3

2.0.0-alpha.4

2.0.0-alpha.5

2.0.0-alpha.6

2.0.0-alpha.7

2.0.0-alpha.8

2.0.1

2.1.0

2.10.0

2.11.0

2.12.0

2.12.1

2.13.0

2.13.1

2.13.2

2.13.3

2.13.4

2.14.0

2.14.1

2.14.2

2.15.0

2.15.1

2.15.2

2.15.3

2.15.4

2.3.0

2.4.0

2.4.1

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.6.1

2.6.2

2.7.0

2.8.0

2.8.1

2.8.2

2.9.0

v2.*

v2.16.0

v2.16.1

v2.16.2

v2.16.3

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27959.json"