CVE-2026-27959
Received Received - Intake
Host Header Injection in Koa ctx.hostname Allows URL Manipulation

Publication date: 2026-02-26

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-26
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27959
EUVD
EUVD-2026-8816
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
koajs koa to 2.16.14 (exc)
koajs koa From 3.0.0 (inc) to 3.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27959 is a vulnerability in the Koa.js framework where the `ctx.hostname` API improperly parses the HTTP Host header. Specifically, it naively extracts the substring before the first colon without validating that the input conforms to the hostname syntax defined in RFC 3986. This allows an attacker to send a malformed Host header containing a `@` symbol, which is not valid in hostnames but used to separate userinfo from the host in URLs.

Because of this improper parsing, `ctx.hostname` can return an attacker-controlled hostname, such as `evil.com`, when the Host header contains userinfo like `evil.com:fake@localhost:3000`. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions become vulnerable to Host header injection attacks.

The vulnerability was fixed by changing the parsing logic to detect userinfo in the Host header and correctly extract the hostname using the URL constructor with a dummy scheme. If parsing fails, it returns an empty string to avoid unsafe host values.

Impact Analysis

This vulnerability can have several serious impacts if exploited:

  • Password Reset Poisoning: Attackers can hijack password reset tokens by poisoning reset URLs, enabling account takeover.
  • Email Verification Bypass: Attackers can manipulate verification links to verify attacker-controlled emails on victim accounts.
  • OAuth/SSO Callback Manipulation: Redirecting OAuth callbacks to malicious servers, resulting in token theft.
  • Web Cache Poisoning: If caching does not consider Host headers, poisoned URLs can be served to all users, enabling persistent XSS or phishing.
  • Server-Side Request Forgery (SSRF): Manipulating internal routing decisions based on `ctx.hostname` to direct requests to unintended backends.

The vulnerability is exploitable remotely without authentication or user interaction, with low attack complexity, and results in high integrity impact but no confidentiality or availability loss.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring HTTP requests to your Koa.js application for malformed or suspicious Host headers containing the '@' character, which is not valid in hostnames according to RFC 3986. Specifically, look for Host headers that include userinfo formats such as 'user@host' or 'evil.com:fake@localhost:3000'."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability, you can capture and inspect HTTP request headers using network monitoring tools or command-line utilities.'}, {'type': 'list_item', 'content': "Use tcpdump or tshark to capture HTTP traffic and filter for Host headers containing '@':"}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Host:.*@'"}, {'type': 'list_item', 'content': "Use curl or similar tools to manually test your server by sending requests with crafted Host headers containing '@' to see if the application improperly parses them:"}, {'type': 'list_item', 'content': "curl -H 'Host: [email protected]' http://yourserver.com/"}, {'type': 'list_item', 'content': "Review application logs for unexpected or malformed Host header values or URLs generated using ctx.hostname or ctx.origin that contain '@' or unexpected domains."}] [1, 2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation is to upgrade the Koa.js framework to versions 3.1.2 or later, or 2.16.4 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, consider the following interim mitigations:'}, {'type': 'list_item', 'content': "Implement strict validation of the Host header in your application or at the proxy/load balancer level to reject or sanitize headers containing '@' or other invalid characters."}, {'type': 'list_item', 'content': 'Disable or carefully configure proxy trust settings (e.g., app.proxy = false) to prevent injection via X-Forwarded-Host headers.'}, {'type': 'list_item', 'content': 'Use a reverse proxy or web application firewall (WAF) to filter and block malicious Host headers before they reach the Koa application.'}, {'type': 'list_item', 'content': 'Avoid relying solely on ctx.hostname or ctx.origin for security-sensitive URL generation without additional validation or sanitization.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart