PT-2025-7056 · Koa · Koa
R4356Th
·
Published
2025-02-12
·
Updated
2026-01-20
·
CVE-2025-25200
CVSS v4.0
9.2
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H |
Name of the Vulnerable Software and Affected Versions:
Koa versions prior to 0.21.2
Koa versions prior to 1.7.1
Koa versions prior to 2.15.4
Koa versions prior to 3.0.0-alpha.3
Description:
The issue concerns a Denial-of-Service attack due to Koa using an evil regex to parse the
X-Forwarded-Proto and X-Forwarded-Host HTTP headers. This can be exploited to carry out a Denial-of-Service attack, causing memory exhaustion.Recommendations:
For versions prior to 0.21.2, update to version 0.21.2 or later.
For versions prior to 1.7.1, update to version 1.7.1 or later.
For versions prior to 2.15.4, update to version 2.15.4 or later.
For versions prior to 3.0.0-alpha.3, update to version 3.0.0-alpha.3 or later.
As a temporary workaround, consider restricting access to the
X-Forwarded-Proto and X-Forwarded-Host HTTP headers until a patch is available.Exploit
Fix
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Koa