← Back to CVE List

CVE-2025-25200

Published: 2025-02-12T18:15Z
Last Modified: 2025-02-12T18:15Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt