References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Change History

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1333

https://github.com/koajs/koa/blob/master/lib/request.js#L259

https://github.com/koajs/koa/blob/master/lib/request.js#L404

https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c

https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32

https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08

https://github.com/koajs/koa/releases/tag/2.15.4

https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m