CVE-2025-25200
HIGHDescription
Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.
Is your site exposed to CVE-2025-25200?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| koajs | koa |
| koajs | koa |
| koajs | koa |
| koajs | koa |
| koajs | koa |
| koajs | koa |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-25200? +
How severe is CVE-2025-25200? +
What products are affected by CVE-2025-25200? +
How do I check if I'm vulnerable to CVE-2025-25200? +
Related Vulnerabilities
Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA …
PowSyBl (Power System Blocks) is a framework to build power system oriented software. Prior to version 6.7.2, there is a …
PowSyBl (Power System Blocks) is a framework to build power system oriented software. In com.powsybl:powsybl-iidm-criteria versions 6.3.0 to before 6.7.2 …
ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service …
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression …
Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression …