Description

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.

INFO

Published Date :

2025-02-12T17:59:04.615Z

Last Modified :

2025-02-12T19:29:10.232Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-25200 vulnerability.

Vendors Products
Koajs
  • Koa
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-25200.

URL Resource
https://github.com/koajs/koa/blob/master/lib/request.js#L259 cve-icon cve-icon cve-icon
https://github.com/koajs/koa/blob/master/lib/request.js#L404 cve-icon cve-icon cve-icon
https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c cve-icon cve-icon cve-icon
https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32 cve-icon cve-icon cve-icon
https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08 cve-icon cve-icon cve-icon
https://github.com/koajs/koa/releases/tag/2.15.4 cve-icon cve-icon cve-icon
https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-25200 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-25200 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact