koa

npm3 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting koapage 1 of 1

CVE-2025-25200HIGHCVSS 7.5EG 7.5✓ Fixed in 2.15.4
2025-02-12
Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exp…
CVE-2025-32379MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2.16.1
2025-04-09
Koa is expressive middleware for Node.js using ES2017 async functions. In koa < 2.16.1 and < 3.0.0-alpha.5, passing untrusted user input to ctx.redirect() even after sanitizing it, may execute javascript code on the user who use the app. T…
CVE-2025-8129LOWCVSS 3.5EG 3.5✓ Fixed in 3.0.1
2025-07-25
A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to…

Check whether koa is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for koa CVEs against the assets you own.

Start Free Scan →