CVE-2026-9495 koajs CVE debrief

Who should care

Organizations using @koa/router versions 14.0.0 through 14.x in production applications, particularly those relying on middleware for security controls. Development teams using parameterized route prefixes with security-critical middleware chains. Security teams auditing Node.js/Koa applications for access control weaknesses.

Technical summary

The @koa/router package (versions 14.0.0 to 14.x) fails to properly execute middleware when a router prefix contains path parameters (e.g., /users/:id). The middleware is silently dropped from the execution chain without error, causing security-critical middleware—such as authentication, authorization, rate limiting, or input sanitization—to be skipped. An attacker who can craft requests matching routes with parameterized prefixes may bypass these controls. The vulnerability is classified as CWE-284 (Improper Access Control). The fix in version 15.0.0 ensures middleware is correctly registered and executed regardless of prefix parameterization.

Defensive priority

medium

Recommended defensive actions

• Upgrade @koa/router to version 15.0.0 or later
• Review application routes for router prefixes containing path parameters
• Audit middleware chains to identify security-critical middleware that may be affected
• Test authentication, authorization, rate limiting, and input sanitization flows after upgrade
• Monitor application logs for unexpected middleware execution patterns

Evidence notes

The vulnerability affects @koa/router 14.0.0 through versions before 15.0.0. The root cause is middleware being silently dropped when router prefixes contain path parameters. The fix was committed to the koajs/router repository and released in version 15.0.0.

Official resources