{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27959", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.792Z", "datePublished": "2026-02-26T01:45:45.668Z", "dateUpdated": "2026-02-26T19:32:00.105Z"}, "containers": {"cna": {"title": "Koa has Host Header Injection via `ctx.hostname`", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"}, {"name": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df"}, {"name": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb"}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"version": ">= 3.0.0, < 3.1.2", "status": "affected"}, {"version": "< 2.16.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:45:45.668Z"}, "descriptions": [{"lang": "en", "value": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."}], "source": {"advisory": "GHSA-7gcc-r8m5-44qm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T19:31:17.215940Z", "id": "CVE-2026-27959", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:32:00.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27959", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T19:31:17.215940Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:31:35.224Z"}}], "cna": {"title": "Koa has Host Header Injection via `ctx.hostname`", "source": {"advisory": "GHSA-7gcc-r8m5-44qm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.1.2"}, {"status": "affected", "version": "< 2.16.4"}]}], "references": [{"url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "name": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "name": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "name": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:45:45.668Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27959", "state": "PUBLISHED", "dateUpdated": "2026-02-26T19:32:00.105Z", "dateReserved": "2026-02-25T03:24:57.792Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T01:45:45.668Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "47B8F313-898E-4B6D-936A-8F35AC7E7C20", "versionEndExcluding": "2.16.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D5367576-B8D5-45EE-9214-D40A4E6E1049", "versionEndExcluding": "3.1.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."}], "id": "CVE-2026-27959", "lastModified": "2026-02-28T00:55:26.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:23.317", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "koa: Koa: Host header injection vulnerability due to malformed HTTP Host header parsing", "id": "2442928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442928"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-20", "details": ["Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.", "A flaw was found in Koa\u2019s ctx.hostname API used in Node.js applications. The function incorrectly parses specially crafted HTTP Host headers containing an @ character, which can cause the extracted hostname value to differ from the intended origin. An attacker can exploit this behavior by sending a malicious Host header to influence the hostname value returned by ctx.hostname. Applications that rely on this value for generating absolute URLs, password reset links, or email verification links without additional validation may be susceptible to Host header injection attacks."], "mitigation": {"lang": "en:us", "value": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates once they become available."}, "name": "CVE-2026-27959", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-monitoring-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-02-26T01:45:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27959\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27959\nhttps://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df\nhttps://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb\nhttps://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"], "statement": "Red Hat Product Security considers this issue as High severity. \nA remote, unauthenticated attacker can send a specially crafted HTTP Host header containing a valid RFC 3986 userinfo component (using the @ delimiter). Due to improper parsing of the authority field in the ctx.hostname API, the application may treat attacker-controlled input as the hostname value. Exploitation occurs when the server processes the malicious request and does not require user interaction (UI:N).\nApplications that rely on ctx.hostname to construct absolute URLs, such as: password reset links, email verification links, OAuth redirect URIs, or webhook endpoints, may generate security sensitive URLs that reference an attacker controlled domain. This can result in integrity violations, including manipulation of authentication flows or account takeover scenarios. Integrity impact is therefore rated High.\nConfidentiality impact is considered Low because disclosure of sensitive data depends on application-specific usage patterns. The vulnerability does not automatically expose information from the server. However, if an affected application uses the manipulated hostname value to generate security-sensitive links such as password reset or email verification URLs and embeds tokens in those links without additional validation, a victim who later follows such a link may inadvertently disclose those tokens to an attacker controlled domain. Such disclosure is conditional, application-dependent like how the application constructs URLs. Also, the subsequent user interaction beyond the initial exploitation, the confidentiality impact is assessed as Low (C:L).", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.1.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.16.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "koa", "source": "cna", "vendor": "koajs"}, "product": "koa", "vendor": "koajs"}], "analysis": {"en": {"generated_at": "2026-04-17T14:30:39.400471+00:00", "value": {"mitigation_remediation": ["Upgrade to Koa version 3.1.2 or later, or 2.16.4 or later, where the host header parsing bug has been fixed.", "If an upgrade cannot be performed immediately, add a middleware layer that validates the Host header against RFC 3986 before it reaches ctx.hostname, rejecting headers that contain an @ character or other invalid characters.", "Configure your deployment to use a reverse proxy or load balancer that normalizes or rejects malformed Host headers, ensuring that only trusted hostnames reach the application."], "summary": {"action": "Patch", "impact": "Host Header Injection in Koa via ctx.hostname"}, "threat_synthesis": {"affected_systems": "Koajs Koa, a Node.js middleware library. The vulnerability is present in all releases prior to version 3.1.2 and 2.16.4. Users of these earlier releases are affected regardless of the operating system or hosting environment.", "description_and_impact": "Koa's ctx.hostname function parsed the Host header without RFC 3986 validation, taking the substring before the first colon. A header that contains an @ symbol is treated as a valid hostname and returned exactly as the attacker supplied, e.g. an incoming header of \"evil@example.com\" results in ctx.hostname returning \"evil.com\". Applications that use ctx.hostname to construct URLs for password reset links, email verification, or routing are therefore able to inject an attacker-controlled hostname into user-facing links. This allows attackers to create convincing phishing URLs, redirect users, or potentially facilitate credential\u2011stealing or session\u2011fixation attacks when the forged hostname is embedded in authentication or password\u2011reset links.", "risk_and_exploitability": "The issue has a CVSS score of 7.5 (high) and an EPSS score of less than 1%, indicating the likelihood of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it from any location that can send HTTP requests to the vulnerable service, for example by crafting a malicious request that includes a Host header with an @ symbol. No privileged access or additional compromise is required beyond the ability to send a request to the application."}}}}, "created": "2026-02-26T13:09:55.392198+00:00", "updated": "2026-04-17T14:45:21.018618+00:00", "vendors": ["koajs", "koajs$PRODUCT$koa"]}