{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-08T03:19:02.486","vulnerabilities":[{"cve":{"id":"CVE-2026-27959","sourceIdentifier":"security-advisories@github.com","published":"2026-02-26T02:16:23.317","lastModified":"2026-02-28T00:55:26.413","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."},{"lang":"es","value":"Koa es un middleware para Node.js que utiliza funciones asíncronas de ES2017. Antes de las versiones 3.1.2 y 2.16.4, la API `ctx.hostname` de Koa realiza un análisis ingenuo del encabezado Host HTTP, extrayendo todo lo que precede al primer signo de dos puntos sin validar que la entrada cumpla con la sintaxis de nombre de host de RFC 3986. Cuando se recibe un encabezado Host malformado que contiene un símbolo '@', `ctx.hostname` devuelve 'evil[.]com' - un valor controlado por el atacante. Las aplicaciones que utilizan `ctx.hostname` para la generación de URL, enlaces de restablecimiento de contraseña, URL de verificación de correo electrónico o decisiones de enrutamiento son vulnerables a ataques de inyección de encabezado Host. Las versiones 3.1.2 y 2.16.4 solucionan el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-20"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*","versionEndExcluding":"2.16.14","matchCriteriaId":"47B8F313-898E-4B6D-936A-8F35AC7E7C20"},{"vulnerable":true,"criteria":"cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.1.2","matchCriteriaId":"D5367576-B8D5-45EE-9214-D40A4E6E1049"}]}]}],"references":[{"url":"https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}