{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27959", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:24:57.792Z", "datePublished": "2026-02-26T01:45:45.668Z", "dateUpdated": "2026-02-26T19:32:00.105Z"}, "containers": {"cna": {"title": "Koa has Host Header Injection via `ctx.hostname`", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"}, {"name": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df"}, {"name": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb"}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"version": ">= 3.0.0, < 3.1.2", "status": "affected"}, {"version": "< 2.16.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:45:45.668Z"}, "descriptions": [{"lang": "en", "value": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."}], "source": {"advisory": "GHSA-7gcc-r8m5-44qm", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-26T19:31:17.215940Z", "id": "CVE-2026-27959", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:32:00.105Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27959", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-26T19:31:17.215940Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T19:31:35.224Z"}}], "cna": {"title": "Koa has Host Header Injection via `ctx.hostname`", "source": {"advisory": "GHSA-7gcc-r8m5-44qm", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"status": "affected", "version": ">= 3.0.0, < 3.1.2"}, {"status": "affected", "version": "< 2.16.4"}]}], "references": [{"url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "name": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "name": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "name": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-26T01:45:45.668Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27959", "state": "PUBLISHED", "dateUpdated": "2026-02-26T19:32:00.105Z", "dateReserved": "2026-02-25T03:24:57.792Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-26T01:45:45.668Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "47B8F313-898E-4B6D-936A-8F35AC7E7C20", "versionEndExcluding": "2.16.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:koajs:koa:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "D5367576-B8D5-45EE-9214-D40A4E6E1049", "versionEndExcluding": "3.1.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue."}], "id": "CVE-2026-27959", "lastModified": "2026-02-28T00:55:26.413", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-26T02:16:23.317", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "koa: Koa: Host header injection vulnerability due to malformed HTTP Host header parsing", "id": "2442928", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442928"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "status": "draft"}, "cwe": "CWE-20", "details": ["Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.", "A flaw was found in Koa\u2019s ctx.hostname API used in Node.js applications. The function incorrectly parses specially crafted HTTP Host headers containing an @ character, which can cause the extracted hostname value to differ from the intended origin. An attacker can exploit this behavior by sending a malicious Host header to influence the hostname value returned by ctx.hostname. Applications that rely on this value for generating absolute URLs, password reset links, or email verification links without additional validation may be susceptible to Host header injection attacks."], "mitigation": {"lang": "en:us", "value": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates once they become available."}, "name": "CVE-2026-27959", "package_state": [{"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-dashboard-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-mod-arch-gen-ai-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Out of support scope", "package_name": "rhoai/odh-mod-arch-model-registry-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "openshift4/ose-monitoring-plugin-rhel9", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openshift_devspaces:3", "fix_state": "Not affected", "package_name": "devspaces/code-rhel9", "product_name": "Red Hat OpenShift Dev Spaces"}, {"cpe": "cpe:/a:redhat:ansible_portal:2", "fix_state": "Affected", "package_name": "ansible-automation-platform/automation-portal", "product_name": "Self-service automation portal 2"}], "public_date": "2026-02-26T01:45:45Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-27959\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-27959\nhttps://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df\nhttps://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb\nhttps://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm"], "statement": "Red Hat Product Security considers this issue as High severity. \nA remote, unauthenticated attacker can send a specially crafted HTTP Host header containing a valid RFC 3986 userinfo component (using the @ delimiter). Due to improper parsing of the authority field in the ctx.hostname API, the application may treat attacker-controlled input as the hostname value. Exploitation occurs when the server processes the malicious request and does not require user interaction (UI:N).\nApplications that rely on ctx.hostname to construct absolute URLs, such as: password reset links, email verification links, OAuth redirect URIs, or webhook endpoints, may generate security sensitive URLs that reference an attacker controlled domain. This can result in integrity violations, including manipulation of authentication flows or account takeover scenarios. Integrity impact is therefore rated High.\nConfidentiality impact is considered Low because disclosure of sensitive data depends on application-specific usage patterns. The vulnerability does not automatically expose information from the server. However, if an affected application uses the manipulated hostname value to generate security-sensitive links such as password reset or email verification URLs and embeds tokens in those links without additional validation, a victim who later follows such a link may inadvertently disclose those tokens to an attacker controlled domain. Such disclosure is conditional, application-dependent like how the application constructs URLs. Also, the subsequent user interaction beyond the initial exploitation, the confidentiality impact is assessed as Low (C:L).", "threat_severity": "Important"}