CVE-2026-27959
Published: 26 February 2026
Summary
CVE-2026-27959 is a high-severity Improper Input Validation (CWE-20) vulnerability in Koajs Koa. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-27959 is a Host header injection vulnerability in Koa, a middleware framework for Node.js that uses ES2017 async functions. The issue affects Koa versions prior to 3.1.2 and 2.16.4, specifically in the `ctx.hostname` API, which naively parses the HTTP Host header by extracting everything before the first colon without validating conformance to RFC 3986 hostname syntax. A malformed Host header containing an `@` symbol causes `ctx.hostname` to return an attacker-controlled value, such as `evil[.]com`. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-20 (Improper Input Validation).
Remote attackers without authentication can exploit this vulnerability by sending a specially crafted HTTP request with a malformed Host header. Exploitation succeeds if the affected application relies on `ctx.hostname` for generating URLs, password reset links, email verification URLs, or routing decisions, enabling Host header injection attacks. This allows attackers to manipulate outbound links or redirects to point to malicious domains, potentially leading to phishing, open redirects, or unauthorized actions, with high integrity impact but no confidentiality or availability disruption.
The Koa security advisory (GHSA-7gcc-r8m5-44qm) and related GitHub commits detail the fix, recommending an upgrade to Koa versions 3.1.2 or 2.16.4, which implement proper validation of the Host header per RFC 3986 syntax. No additional mitigations are specified in the provided references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8816
Vulnerability details
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986…
more
hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE directly describes remote unauthenticated exploitation of a public-facing Koa-based web app via crafted Host headers (T1190); resulting manipulation of generated URLs/reset links enables delivery of attacker-controlled phishing links (T1566.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of HTTP Host header inputs against RFC 3986 syntax to prevent extraction of attacker-controlled hostnames like evil[.]com.
Mandates timely flaw remediation by upgrading Koa to versions 3.1.2 or 2.16.4 that implement proper Host header validation.
Filters or sanitizes information outputs such as generated URLs, password reset links, and email verification URLs that incorporate the untrusted ctx.hostname value.