{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25200", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-03T19:30:53.400Z", "datePublished": "2025-02-12T17:59:04.615Z", "dateUpdated": "2025-02-12T19:29:10.232Z"}, "containers": {"cna": {"title": "Koa has Inefficient Regular Expression Complexity", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"}, {"name": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"}, {"name": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"}, {"name": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"}, {"name": "https://github.com/koajs/koa/blob/master/lib/request.js#L259", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259"}, {"name": "https://github.com/koajs/koa/blob/master/lib/request.js#L404", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404"}, {"name": "https://github.com/koajs/koa/releases/tag/2.15.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/releases/tag/2.15.4"}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"version": "< 0.21.2", "status": "affected"}, {"version": ">= 1.0.0, < 1.7.1", "status": "affected"}, {"version": ">= 2.0.0-alpha.1, < 2.15.4", "status": "affected"}, {"version": ">= 3.0.0-alpha.0, < < 3.0.0-alpha.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-12T17:59:04.615Z"}, "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue."}], "source": {"advisory": "GHSA-593f-38f6-jp5m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-12T18:33:35.286450Z", "id": "CVE-2025-25200", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:29:10.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25200", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-12T18:33:35.286450Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:29:02.600Z"}}], "cna": {"title": "Koa has Inefficient Regular Expression Complexity", "source": {"advisory": "GHSA-593f-38f6-jp5m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"status": "affected", "version": "< 0.21.2"}, {"status": "affected", "version": ">= 1.0.0, < 1.7.1"}, {"status": "affected", "version": ">= 2.0.0-alpha.1, < 2.15.4"}, {"status": "affected", "version": ">= 3.0.0-alpha.0, < < 3.0.0-alpha.3"}]}], "references": [{"url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m", "name": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "name": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32", "name": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08", "name": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259", "name": "https://github.com/koajs/koa/blob/master/lib/request.js#L259", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404", "name": "https://github.com/koajs/koa/blob/master/lib/request.js#L404", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/releases/tag/2.15.4", "name": "https://github.com/koajs/koa/releases/tag/2.15.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-12T17:59:04.615Z"}}}, "cveMetadata": {"cveId": "CVE-2025-25200", "state": "PUBLISHED", "dateUpdated": "2025-02-12T19:29:10.232Z", "dateReserved": "2025-02-03T19:30:53.400Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-12T17:59:04.615Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "49E8166D-828D-483B-BA33-E837335BA933", "versionEndExcluding": "0.21.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "FF1C3340-4EC7-4087-B14E-8188AC925867", "versionEndExcluding": "1.7.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "88256A20-54C1-455F-9BBA-19DC6292C978", "versionEndExcluding": "2.15.4", "versionStartIncluding": "2.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha0:*:*:*:node.js:*:*", "matchCriteriaId": "C939FF76-3FDC-4439-8794-4DFC390B6AE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha1:*:*:*:node.js:*:*", "matchCriteriaId": "6C0F27D9-2CCD-4CA4-BB80-3650CA1CC7D7", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:3.0.0:alpha2:*:*:*:node.js:*:*", "matchCriteriaId": "AC7C1D95-EC40-445D-A46D-5B52C771E9EE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue."}, {"lang": "es", "value": "Koa es un middleware expresivo para Node.js que utiliza funciones asincr\u00f3nicas ES2017. En versiones anteriores a las 0.21.2, 1.7.1, 2.15.4 y 3.0.0-alpha.3, Koa utiliza una expresi\u00f3n regular maliciosa para analizar los encabezados HTTP `X-Forwarded-Proto` y `X-Forwarded-Host`. Esto se puede aprovechar para llevar a cabo un ataque de denegaci\u00f3n de servicio. Las versiones 0.21.2, 1.7.1, 2.15.4 y 3.0.0-alpha.3 solucionan el problema."}], "id": "CVE-2025-25200", "lastModified": "2026-01-20T14:42:45.760", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-12T18:15:28.110", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/koajs/koa/releases/tag/2.15.4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "koa: Koa has Inefficient Regular Expression Complexity", "id": "2345319", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345319"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1333", "details": ["Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.", "A denial of service flaw was found in the koa library. An improperly designed regex is used to parse some specific HTTP headers. If untrusted requests are passed to koa, it can cause excessive resource usage on the server."], "name": "CVE-2025-25200", "public_date": "2025-02-12T17:59:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-25200\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-25200\nhttps://github.com/koajs/koa/blob/master/lib/request.js#L259\nhttps://github.com/koajs/koa/blob/master/lib/request.js#L404\nhttps://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c\nhttps://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32\nhttps://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08\nhttps://github.com/koajs/koa/releases/tag/2.15.4\nhttps://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"], "statement": "Red Hat Product Security has determined that this vulnerability does not affect any currently supported Red Hat product. Red Hat Developer Hub uses `koa` as a transient dependency during build time, the vulnerable code is not accessible at runtime.", "threat_severity": "Low"}

{}