CVE-2026-27959

{"id": "CVE-2026-27959", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-26T02:16:23.317", "references": [{"url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."}, {"lang": "es", "value": "Koa es un middleware para Node.js que utiliza funciones as\u00edncronas de ES2017. Antes de las versiones 3.1.2 y 2.16.4, la API `ctx.hostname` de Koa realiza un an\u00e1lisis ingenuo del encabezado Host HTTP, extrayendo todo lo que precede al primer signo de dos puntos sin validar que la entrada cumpla con la sintaxis de nombre de host de RFC 3986. Cuando se recibe un encabezado Host malformado que contiene un s\u00edmbolo '@', `ctx.hostname` devuelve 'evil[.]com' - un valor controlado por el atacante. Las aplicaciones que utilizan `ctx.hostname` para la generaci\u00f3n de URL, enlaces de restablecimiento de contrase\u00f1a, URL de verificaci\u00f3n de correo electr\u00f3nico o decisiones de enrutamiento son vulnerables a ataques de inyecci\u00f3n de encabezado Host. Las versiones 3.1.2 y 2.16.4 solucionan el problema."}], "lastModified": "2026-02-28T00:55:26.413", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "47B8F313-898E-4B6D-936A-8F35AC7E7C20", "versionEndExcluding": "2.16.14"}, {"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "D5367576-B8D5-45EE-9214-D40A4E6E1049", "versionEndExcluding": "3.1.2", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}