Cyber Resilience

CVE-2026-27959

HighPublic PoCUpdated

Published: 26 February 2026

Published
26 February 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0032 24.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27959 is a high-severity Improper Input Validation (CWE-20) vulnerability in Koajs Koa. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27959 is a Host header injection vulnerability in Koa, a middleware framework for Node.js that uses ES2017 async functions. The issue affects Koa versions prior to 3.1.2 and 2.16.4, specifically in the `ctx.hostname` API, which naively parses the HTTP Host header by extracting everything before the first colon without validating conformance to RFC 3986 hostname syntax. A malformed Host header containing an `@` symbol causes `ctx.hostname` to return an attacker-controlled value, such as `evil[.]com`. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and is associated with CWE-20 (Improper Input Validation).

Remote attackers without authentication can exploit this vulnerability by sending a specially crafted HTTP request with a malformed Host header. Exploitation succeeds if the affected application relies on `ctx.hostname` for generating URLs, password reset links, email verification URLs, or routing decisions, enabling Host header injection attacks. This allows attackers to manipulate outbound links or redirects to point to malicious domains, potentially leading to phishing, open redirects, or unauthorized actions, with high integrity impact but no confidentiality or availability disruption.

The Koa security advisory (GHSA-7gcc-r8m5-44qm) and related GitHub commits detail the fix, recommending an upgrade to Koa versions 3.1.2 or 2.16.4, which implement proper validation of the Host header per RFC 3986 syntax. No additional mitigations are specified in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986…

more

hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

CVE directly describes remote unauthenticated exploitation of a public-facing Koa-based web app via crafted Host headers (T1190); resulting manipulation of generated URLs/reset links enables delivery of attacker-controlled phishing links (T1566.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25200Same product: Koajs Koa
CVE-2025-48913Shared CWE-20
CVE-2025-67484Shared CWE-20
CVE-2026-4755Shared CWE-20
CVE-2026-23489Shared CWE-20
CVE-2025-54385Shared CWE-20
CVE-2026-48188Shared CWE-20
CVE-2026-22567Shared CWE-20
CVE-2026-26063Shared CWE-20
CVE-2024-36047Shared CWE-20

Affected Assets

koajs
koa
≤ 2.16.4 · 3.0.0 — 3.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of HTTP Host header inputs against RFC 3986 syntax to prevent extraction of attacker-controlled hostnames like evil[.]com.

prevent

Mandates timely flaw remediation by upgrading Koa to versions 3.1.2 or 2.16.4 that implement proper Host header validation.

prevent

Filters or sanitizes information outputs such as generated URLs, password reset links, and email verification URLs that incorporate the untrusted ctx.hostname value.

References