Description
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.
Published: 2026-05-26
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Versions of @koa/router from 14.0.0 up to but not including 15.0.0 are vulnerable to an Access Control Bypass. The bug causes middleware to be silently dropped from the execution chain whenever the router prefix contains path parameters. As a result, authentication, authorization, rate limiting and input sanitization that should have been enforced by that middleware can be circumvented, allowing an attacker to gain unauthorized access to protected resources or to manipulate requests in ways that bypass normal security controls. This weakness is categorized as CWE‑284.

Affected Systems

The vulnerability affects the Node.js routing library @koa/router, specifically all releases from 14.0.0 through 14.x‑series and any other releases older than 15.0.0. Applications that use this library and define router prefixes with path parameters are exposed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting that no mass exploitation campaigns are known. However, the attack vector is inferred to be remote, relying on an attacker sending crafted HTTP requests to a Koa application that utilizes the vulnerable router prefix. If the application does not enforce additional authentication or rate‑limiting at a higher level, the risk of successful exploitation remains significant.

Generated by OpenCVE AI on May 26, 2026 at 07:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @koa/router to the latest stable release (15.0.0 or newer) to apply the vendor‑supplied fix.
  • If an upgrade is not feasible, re‑configure router prefixes to avoid using path parameters or explicitly add the critical middleware before any route that uses a parameterized prefix.
  • Deploy a web‑application firewall or reverse‑proxy based rate‑limiting and authentication layer to provide a secondary barrier against bypass attempts.

Generated by OpenCVE AI on May 26, 2026 at 07:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Access Control Bypass in Koa Router Prefix Path Parameters

Tue, 26 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: snyk

Published:

Updated: 2026-05-26T05:00:04.704Z

Reserved: 2026-05-25T09:18:41.020Z

Link: CVE-2026-9495

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T07:30:36Z

Weaknesses