CVE-2026-27959

HIGH 7.5

Koa has Host Header Injection via `ctx.hostname`

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.

CWE	CWE-20
Vendor	koajs
Product	koa
Published	Feb 26, 2026
Last Updated	Feb 26, 2026

Stay Ahead of the Next One

Get instant alerts for koajs koa

Be the first to know when new high vulnerabilities affecting koajs koa are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

koajs / koa

>= 3.0.0, < 3.1.2 < 2.16.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm github.com: https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df github.com: https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb