Home > Vulnerability Database > CVE-2025-25200

Mend.io Vulnerability Database

CVE-2025-25200

Good to know:

Date: February 12, 2025

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the "X-Forwarded-Proto" and "X-Forwarded-Host" HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.

Severity Score

7.5

Related Resources (10)

Url: https://github.com/koajs/koa/blob/master/lib/request.js#L259

Url: https://github.com/koajs/koa

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-25200

Url: https://github.com/koajs/koa/releases/tag/2.15.4

Url: https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m

Url: https://github.com/koajs/koa/blob/master/lib/request.js#L404

Url: https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c

Url: https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08

Url: https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32

Url: https://www.mend.io/vulnerability-database/CVE-2025-25200

Severity Score

7.5

Weakness Type (CWE)

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

Upgrade Version

Upgrade to version koa - 1.7.1;koa - 3.0.0-alpha.3;koa - 2.15.4;koa - 0.21.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-25200

Good to know:

Date: February 12, 2025

Severity Score

Related Resources (10)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?