npm/koa — 5 CVEs · VulnScope

HIGH7.5CVE-2026-27959Koa has Host Header Injection via ctx.hostname

>= 3.0.0, < 3.1.2

MEDIUM5.0CVE-2025-32379Koajs vulnerable to Cross-Site Scripting (XSS) at ctx.redirect() function

from 0, < 2.16.1

MEDIUM4.7CVE-2025-62595Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic

>= 3.0.1, < 3.0.3

LOW3.5Koa Open Redirect via Referrer Header (User-Controlled)

>= 2.0.0, < 2.16.2

—Inefficient Regular Expression Complexity in koa

>= 2.0.0, < 2.15.4

pkg:npm/koa