CVE-2026-27959 in koa정보

요약

\~에 의해 MITRE • 2026. 02. 26.

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

책임이 있는

GitHub M

예약하다

2026. 02. 25.

공개

2026. 02. 26.

모더레이션

수락

항목

VDB-347945

CPE

준비됨

CWE

CWE-20 (확인됨)

CVSS

7.5 (CNA)

EPSS

0.00125

KEV

아니요

활동

매우 낮음

출처

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-27959
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-27959
CVE Details	https://www.cvedetails.com/cve/CVE-2026-27959/

◂ 이전 개요 다음 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!