Description
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Host Header Injection in Koa via ctx.hostname
Action: Patch
AI Analysis

Impact

Koa's ctx.hostname function parsed the Host header without RFC 3986 validation, taking the substring before the first colon. A header that contains an @ symbol is treated as a valid hostname and returned exactly as the attacker supplied, e.g. an incoming header of "evil@example.com" results in ctx.hostname returning "evil.com". Applications that use ctx.hostname to construct URLs for password reset links, email verification, or routing are therefore able to inject an attacker-controlled hostname into user-facing links. This allows attackers to create convincing phishing URLs, redirect users, or potentially facilitate credential‑stealing or session‑fixation attacks when the forged hostname is embedded in authentication or password‑reset links.

Affected Systems

Koajs Koa, a Node.js middleware library. The vulnerability is present in all releases prior to version 3.1.2 and 2.16.4. Users of these earlier releases are affected regardless of the operating system or hosting environment.

Risk and Exploitability

The issue has a CVSS score of 7.5 (high) and an EPSS score of less than 1%, indicating the likelihood of exploitation is currently very low. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it from any location that can send HTTP requests to the vulnerable service, for example by crafting a malicious request that includes a Host header with an @ symbol. No privileged access or additional compromise is required beyond the ability to send a request to the application.

Generated by OpenCVE AI on April 17, 2026 at 14:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Koa version 3.1.2 or later, or 2.16.4 or later, where the host header parsing bug has been fixed.
  • If an upgrade cannot be performed immediately, add a middleware layer that validates the Host header against RFC 3986 before it reaches ctx.hostname, rejecting headers that contain an @ character or other invalid characters.
  • Configure your deployment to use a reverse proxy or load balancer that normalizes or rejects malformed Host headers, ensuring that only trusted hostnames reach the application.

Generated by OpenCVE AI on April 17, 2026 at 14:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7gcc-r8m5-44qm Koa has Host Header Injection via ctx.hostname
History

Sat, 28 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 28 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*

Sat, 28 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Koajs
Koajs koa
Vendors & Products Koajs
Koajs koa

Thu, 26 Feb 2026 02:15:00 +0000

Type Values Removed Values Added
Description Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
Title Koa has Host Header Injection via `ctx.hostname`
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Koajs Koa
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T19:32:00.105Z

Reserved: 2026-02-25T03:24:57.792Z

Link: CVE-2026-27959

cve-icon Vulnrichment

Updated: 2026-02-26T19:31:35.224Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T02:16:23.317

Modified: 2026-02-28T00:55:26.413

Link: CVE-2026-27959

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-26T01:45:45Z

Links: CVE-2026-27959 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses