Browse all 6 CVE security advisories affecting KoaJS. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Koa.js serves as a lightweight Node.js web framework designed for building server-side applications and APIs. Historically, it has been susceptible to remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities, often stemming from middleware misconfigurations and input validation flaws. While no major security incidents have been widely documented, the six recorded CVEs highlight potential risks in middleware handling and request processing. Developers should implement strict input sanitization and keep dependencies updated to mitigate these issues. The framework's minimalistic architecture reduces attack surfaces compared to more complex frameworks, but proper security practices remain essential for production deployments.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-27959 | Koa has Host Header Injection via `ctx.hostname` — koaCWE-20 | 7.5 | High | 2026-02-26 |
| CVE-2025-62595 | Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic — koaCWE-601 | 4.3 | Medium | 2025-10-21 |
| CVE-2025-8129 | KoaJS Koa HTTP Header response.js back redirect — KoaCWE-601 | 3.5 | Low | 2025-07-25 |
| CVE-2025-32379 | XSS at ctx.redirect() function in Koajs — koaCWE-79 | 5.0 | Medium | 2025-04-09 |
| CVE-2025-25200 | Koa has Inefficient Regular Expression Complexity — koaCWE-1333 | 7.5 | - | 2025-02-12 |
| CVE-2023-49803 | @koa/cors has overly permissive origin policy — corsCWE-346 | 8.6 | High | 2023-12-11 |
This page lists every published CVE security advisory associated with KoaJS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.