CVE-2026-27959
Host Header Injection in Koa ctx.hostname Allows URL Manipulation
Publication date: 2026-02-26
Last updated on: 2026-02-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| koajs | koa | to 2.16.14 (exc) |
| koajs | koa | From 3.0.0 (inc) to 3.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27959 is a vulnerability in the Koa.js framework where the `ctx.hostname` API improperly parses the HTTP Host header. Specifically, it naively extracts the substring before the first colon without validating that the input conforms to the hostname syntax defined in RFC 3986. This allows an attacker to send a malformed Host header containing a `@` symbol, which is not valid in hostnames but used to separate userinfo from the host in URLs.
Because of this improper parsing, `ctx.hostname` can return an attacker-controlled hostname, such as `evil.com`, when the Host header contains userinfo like `evil.com:fake@localhost:3000`. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions become vulnerable to Host header injection attacks.
The vulnerability was fixed by changing the parsing logic to detect userinfo in the Host header and correctly extract the hostname using the URL constructor with a dummy scheme. If parsing fails, it returns an empty string to avoid unsafe host values.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts if exploited:
- Password Reset Poisoning: Attackers can hijack password reset tokens by poisoning reset URLs, enabling account takeover.
- Email Verification Bypass: Attackers can manipulate verification links to verify attacker-controlled emails on victim accounts.
- OAuth/SSO Callback Manipulation: Redirecting OAuth callbacks to malicious servers, resulting in token theft.
- Web Cache Poisoning: If caching does not consider Host headers, poisoned URLs can be served to all users, enabling persistent XSS or phishing.
- Server-Side Request Forgery (SSRF): Manipulating internal routing decisions based on `ctx.hostname` to direct requests to unintended backends.
The vulnerability is exploitable remotely without authentication or user interaction, with low attack complexity, and results in high integrity impact but no confidentiality or availability loss.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring HTTP requests to your Koa.js application for malformed or suspicious Host headers containing the '@' character, which is not valid in hostnames according to RFC 3986. Specifically, look for Host headers that include userinfo formats such as 'user@host' or 'evil.com:fake@localhost:3000'."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability, you can capture and inspect HTTP request headers using network monitoring tools or command-line utilities.'}, {'type': 'list_item', 'content': "Use tcpdump or tshark to capture HTTP traffic and filter for Host headers containing '@':"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Host:.*@'"}, {'type': 'list_item', 'content': "Use curl or similar tools to manually test your server by sending requests with crafted Host headers containing '@' to see if the application improperly parses them:"}, {'type': 'list_item', 'content': "curl -H 'Host: [email protected]' http://yourserver.com/"}, {'type': 'list_item', 'content': "Review application logs for unexpected or malformed Host header values or URLs generated using ctx.hostname or ctx.origin that contain '@' or unexpected domains."}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation is to upgrade the Koa.js framework to versions 3.1.2 or later, or 2.16.4 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, consider the following interim mitigations:'}, {'type': 'list_item', 'content': "Implement strict validation of the Host header in your application or at the proxy/load balancer level to reject or sanitize headers containing '@' or other invalid characters."}, {'type': 'list_item', 'content': 'Disable or carefully configure proxy trust settings (e.g., app.proxy = false) to prevent injection via X-Forwarded-Host headers.'}, {'type': 'list_item', 'content': 'Use a reverse proxy or web application firewall (WAF) to filter and block malicious Host headers before they reach the Koa application.'}, {'type': 'list_item', 'content': 'Avoid relying solely on ctx.hostname or ctx.origin for security-sensitive URL generation without additional validation or sanitization.'}] [1, 2, 3]