Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| koa(npm) | 2.0.0 | 2.15.4 | N/A |
| koa(npm) | 3.0.0-alpha.0 | 3.0.0-alpha.3 | N/A |
| koa(npm) | 1.0.0 | 1.7.1 | N/A |
| koa(npm) | 0 | 0.21.2 | N/A |
CVSS Metrics
