Denial-of-Service Vulnerability in Koa by the Koa Development Team
CVE-2025-25200

9.2CRITICAL

Key Information:

Vendor: Koajs
Status: Koa
Vendor: CVE Published:; 12 February 2025

What is CVE-2025-25200?

The Koa middleware, used in Node.js applications, suffers from a vulnerability that arises from improper parsing of X-Forwarded-Proto and X-Forwarded-Host HTTP headers. Malicious actors can exploit this flaw using a crafted request, leading to Denial-of-Service attacks that cripple server functionality. This issue affects all versions prior to 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3. The Koa Development Team has released patches in the aforementioned versions to mitigate this risk.

Affected Version(s)

koa < 0.21.2 < 0.21.2

koa >= 1.0.0, < 1.7.1 < 1.0.0, 1.7.1

koa >= 2.0.0-alpha.1, < 2.15.4 < 2.0.0-alpha.1, 2.15.4

References

https://github.com/koajs/koa/security/advisories/GHSA-593...

x_refsource_CONFIRM

https://github.com/koajs/koa/commit/5054af6e31ffd451a4151...

x_refsource_MISC

https://github.com/koajs/koa/commit/5f294bb1c7c8d9c619043...

x_refsource_MISC

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Feb 3, 2025

Koajs

What is CVE-2025-25200?

Affected Version(s)

References

CVSS V4

Timeline