关键信息 Summary Vulnerability: Host Header Injection via Package: koa (npm) Affected Versions: - - Patched Versions: - - Severity: High (CVSS Score: 7.5/10) Description Koa's API performs naive parsing of the HTTP Host header, extracting everything before the first colon. This can be exploited when a malformed Host header containing an '@' symbol is received. Details The vulnerability exists in Koa's hostname getter in . The parsing logic simply splits on the first and returns the first segment without validating the resulting string. An attacker can send a Host header containing an '@' symbol, leading to a malformed authority component. Attack Vector When an attacker sends: Koa parses this as: - returns: "evil.com" - returns: "http://evil.com:fake@legitimate.com:3000" Impact 1. Password Reset Poisoning: - Attackers can hijack password reset tokens. - Victims receive poisoned reset links. 2. Email Verification Bypass: - Attackers can poison email verification links. 3. OAuth/SSO Callback Manipulation: - Attackers can redirect OAuth callbacks to malicious servers. 4. Web Cache Poisoning: - Persistent XSS/phishing via cached responses. Additional Concern: ctx.origin Koa's concatenates protocol and host without validation. PoC Setup Shows how to set up a vulnerable server and exploit the vulnerability. Exploit Example command to exploit the vulnerability: Result The password reset URL points to instead of the legitimate server. Deployment Considerations The attack can succeed in production when the malicious Host header reaches the Koa application. Who Is Impacted Direct impact: Any Koa application using or for URL generation without additional validation.