{"id":"CVE-2025-25200","summary":"Koa has Inefficient Regular Expression Complexity","details":"Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.","aliases":["GHSA-593f-38f6-jp5m"],"modified":"2026-04-10T05:24:18.860674Z","published":"2025-02-12T17:59:04.615Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25200.json","cwe_ids":["CWE-1333"]},"references":[{"type":"WEB","url":"https://github.com/koajs/koa/blob/master/lib/request.js#L259"},{"type":"WEB","url":"https://github.com/koajs/koa/blob/master/lib/request.js#L404"},{"type":"WEB","url":"https://github.com/koajs/koa/releases/tag/2.15.4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/25xxx/CVE-2025-25200.json"},{"type":"ADVISORY","url":"https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-25200"},{"type":"FIX","url":"https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"},{"type":"FIX","url":"https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"},{"type":"FIX","url":"https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/koajs/koa","events":[{"introduced":"0b9c032af148d4b16129c7f712577b5a9e44e353"},{"fixed":"93fe903fc966635a991bcf890cfc3427d33a1a08"}],"database_specific":{"versions":[{"introduced":"1.0.0"},{"fixed":"1.7.1"}]}},{"type":"GIT","repo":"https://github.com/koajs/koa","events":[{"introduced":"c2206a287de655245105dfd07d7fa70f5ae320af"},{"fixed":"5f294bb1c7c8d9c61904378d250439a321bffd32"}],"database_specific":{"versions":[{"introduced":"2.0.0-alpha.1"},{"fixed":"2.15.4"}]}}],"versions":["1.0.0","1.1.0","1.1.1","1.1.2","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.3.0","1.4.0","1.4.1","1.5.0","1.5.1","1.6.0","1.6.1","1.6.2","1.7.0","2.0.0-alpha.1","2.0.0-alpha.2","2.0.0-alpha.3","2.0.0-alpha.4","2.0.0-alpha.5","2.0.0-alpha.6","2.0.0-alpha.7","2.0.0-alpha.8","2.0.1","2.1.0","2.10.0","2.11.0","2.12.0","2.12.1","2.13.0","2.13.1","2.13.2","2.13.3","2.13.4","2.14.0","2.14.1","2.14.2","2.15.0","2.15.1","2.15.2","2.15.3","2.3.0","2.4.0","2.4.1","2.5.0","2.5.1","2.5.2","2.5.3","2.6.0","2.6.1","2.6.2","2.7.0","2.8.0","2.8.1","2.8.2","2.9.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25200.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"}]}