koa 0.5.2 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the koa package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H HTTP Header Injection koa is a Koa web app framework Affected versions of this package are vulnerable to HTTP Header Injection via the `hostname` function in the. `request.js` file. An attacker can manipulate the value `hostname` by sending a specially crafted HTTP Host header containing an `@` symbol, which can lead to the generation of attacker-controlled URLs or influence routing decisions. How to fix HTTP Header Injection? Upgrade `koa` to version 2.16.4, 3.1.2 or higher.	<2.16.4>=3.0.0-alpha.0 <3.1.2
M Open Redirect koa is a Koa web app framework Affected versions of this package are vulnerable to Open Redirect via the `back` function in `lib/response.js` which uses the user-controllable referrer header as the redirect target. An attacker can redirect users to arbitrary external sites by manipulating the `Referrer` argument. How to fix Open Redirect? Upgrade `koa` to version 2.16.2, 3.0.1 or higher.	<2.16.2>=3.0.0-alpha.0 <3.0.1
L Cross-site Scripting (XSS) koa is a Koa web app framework Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `ctx.redirect()` function. An attacker can execute scripts on the user's browser or redirect users to malicious sites by supplying malicious input as an achor reference. How to fix Cross-site Scripting (XSS)? Upgrade `koa` to version 2.16.1, 3.0.0-alpha.5 or higher.	<2.16.1>=3.0.0-alpha.1 <3.0.0-alpha.5
C Regular Expression Denial of Service (ReDoS) koa is a Koa web app framework Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parsing of `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `koa` to version 0.21.2, 1.7.1, 2.15.4, 3.0.0-alpha.3 or higher.	<0.21.2>=1.0.0 <1.7.1>=2.0.0-alpha.1 <2.15.4>=3.0.0-alpha.0 <3.0.0-alpha.3

Vulnerability

Vulnerable Version

HTTP Header Injection

koa is a Koa web app framework

Affected versions of this package are vulnerable to HTTP Header Injection via the hostname function in the. request.js file. An attacker can manipulate the value hostname by sending a specially crafted HTTP Host header containing an @ symbol, which can lead to the generation of attacker-controlled URLs or influence routing decisions.

How to fix HTTP Header Injection?

Upgrade koa to version 2.16.4, 3.1.2 or higher.

<2.16.4>=3.0.0-alpha.0 <3.1.2

Open Redirect

koa is a Koa web app framework

Affected versions of this package are vulnerable to Open Redirect via the back function in lib/response.js which uses the user-controllable referrer header as the redirect target. An attacker can redirect users to arbitrary external sites by manipulating the Referrer argument.

How to fix Open Redirect?

Upgrade koa to version 2.16.2, 3.0.1 or higher.

<2.16.2>=3.0.0-alpha.0 <3.0.1

Cross-site Scripting (XSS)

koa is a Koa web app framework

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ctx.redirect() function. An attacker can execute scripts on the user's browser or redirect users to malicious sites by supplying malicious input as an achor reference.

How to fix Cross-site Scripting (XSS)?

Upgrade koa to version 2.16.1, 3.0.0-alpha.5 or higher.

<2.16.1>=3.0.0-alpha.1 <3.0.0-alpha.5

Regular Expression Denial of Service (ReDoS)

koa is a Koa web app framework

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parsing of X-Forwarded-Proto and X-Forwarded-Host HTTP headers.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade koa to version 0.21.2, 1.7.1, 2.15.4, 3.0.0-alpha.3 or higher.

<0.21.2>=1.0.0 <1.7.1>=2.0.0-alpha.1 <2.15.4>=3.0.0-alpha.0 <3.0.0-alpha.3

koa@0.5.2 vulnerabilities

Koa web app framework

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically