CVE-2026-27959

Name of the Vulnerable Software and Affected Versions Koa versions prior to 3.1.2 Koa versions prior to 2.16.4

Description Koa middleware for Node.js, using ES2017 async functions, has an issue where the ctx.hostname API improperly parses the HTTP Host header. The parsing does not validate input against RFC 3986 hostname syntax, specifically failing to properly handle colons. A malformed Host header containing an @ symbol can result in ctx.hostname returning an attacker-controlled value, such as evil[.]com. Applications utilizing ctx.hostname for URL generation, password reset links, email verification URLs, or routing decisions are susceptible to Host header injection attacks. The ctx.hostname API endpoint is vulnerable. The Host header is a vulnerable parameter.

Recommendations Update to Koa version 3.1.2 or later. Update to Koa version 2.16.4 or later.