PatchSiren

Koajs CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM koajs CVE published 2026-05-26

CVE-2026-9495

CVE-2026-9495 documents an access control bypass vulnerability in @koa/router versions 14.0.0 through 14.x, where middleware is silently dropped from the execution chain when a router prefix contains path parameters. This defect can enable authentication/authorization bypass, rate limit evasion, or input sanitization bypass depending on the skipped middleware's purpose. The vulnerability was disclosed on [truncated]

HIGH Koajs CVE published 2026-02-26

CVE-2026-27959

CVE-2026-27959 is a HIGH severity vulnerability in Koa, a middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. This allows for Host header injection attacks when a malformed Host header c [truncated]