{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25200", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-02-03T19:30:53.400Z", "datePublished": "2025-02-12T17:59:04.615Z", "dateUpdated": "2025-02-12T19:29:10.232Z"}, "containers": {"cna": {"title": "Koa has Inefficient Regular Expression Complexity", "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "baseScore": 9.2, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"}, {"name": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"}, {"name": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"}, {"name": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"}, {"name": "https://github.com/koajs/koa/blob/master/lib/request.js#L259", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259"}, {"name": "https://github.com/koajs/koa/blob/master/lib/request.js#L404", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404"}, {"name": "https://github.com/koajs/koa/releases/tag/2.15.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/koajs/koa/releases/tag/2.15.4"}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"version": "< 0.21.2", "status": "affected"}, {"version": ">= 1.0.0, < 1.7.1", "status": "affected"}, {"version": ">= 2.0.0-alpha.1, < 2.15.4", "status": "affected"}, {"version": ">= 3.0.0-alpha.0, < < 3.0.0-alpha.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-12T17:59:04.615Z"}, "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue."}], "source": {"advisory": "GHSA-593f-38f6-jp5m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-12T18:33:35.286450Z", "id": "CVE-2025-25200", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:29:10.232Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25200", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-12T18:33:35.286450Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:29:02.600Z"}}], "cna": {"title": "Koa has Inefficient Regular Expression Complexity", "source": {"advisory": "GHSA-593f-38f6-jp5m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.2, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "koajs", "product": "koa", "versions": [{"status": "affected", "version": "< 0.21.2"}, {"status": "affected", "version": ">= 1.0.0, < 1.7.1"}, {"status": "affected", "version": ">= 2.0.0-alpha.1, < 2.15.4"}, {"status": "affected", "version": ">= 3.0.0-alpha.0, < < 3.0.0-alpha.3"}]}], "references": [{"url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m", "name": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "name": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32", "name": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08", "name": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259", "name": "https://github.com/koajs/koa/blob/master/lib/request.js#L259", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404", "name": "https://github.com/koajs/koa/blob/master/lib/request.js#L404", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/koajs/koa/releases/tag/2.15.4", "name": "https://github.com/koajs/koa/releases/tag/2.15.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-02-12T17:59:04.615Z"}}}, "cveMetadata": {"cveId": "CVE-2025-25200", "state": "PUBLISHED", "dateUpdated": "2025-02-12T19:29:10.232Z", "dateReserved": "2025-02-03T19:30:53.400Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-02-12T17:59:04.615Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue."}], "id": "CVE-2025-25200", "lastModified": "2025-02-12T18:15:28.110", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 9.2, "baseSeverity": "CRITICAL", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "HIGH", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-02-12T18:15:28.110", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L259"}, {"source": "security-advisories@github.com", "url": "https://github.com/koajs/koa/blob/master/lib/request.js#L404"}, {"source": "security-advisories@github.com", "url": "https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c"}, {"source": "security-advisories@github.com", "url": "https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32"}, {"source": "security-advisories@github.com", "url": "https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08"}, {"source": "security-advisories@github.com", "url": "https://github.com/koajs/koa/releases/tag/2.15.4"}, {"source": "security-advisories@github.com", "url": "https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "koa: Koa has Inefficient Regular Expression Complexity", "id": "2345319", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345319"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-1333", "details": ["Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.", "A denial of service flaw was found in the koa library. An improperly designed regex is used to parse some specific HTTP headers. If untrusted requests are passed to koa, it can cause excessive resource usage on the server."], "name": "CVE-2025-25200", "public_date": "2025-02-12T17:59:04Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-25200\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-25200\nhttps://github.com/koajs/koa/blob/master/lib/request.js#L259\nhttps://github.com/koajs/koa/blob/master/lib/request.js#L404\nhttps://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c\nhttps://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32\nhttps://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08\nhttps://github.com/koajs/koa/releases/tag/2.15.4\nhttps://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m"], "statement": "Red Hat Product Security has determined that this vulnerability does not affect any currently supported Red Hat product. Red Hat Developer Hub uses `koa` as a transient dependency during build time, the vulnerable code is not accessible at runtime.", "threat_severity": "Low"}