CVE-2025-25200: Koa has Inefficient Regular Expression Complexity

Published Feb 12, 2025
·
Updated

### Summary Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. ### PoC Coming soon. ### Impact This is a Regex Denial-of-Service attack and causes memory exhaustion. The regex should be improved and empty values should not be allowed.

Affected Software

12 affected componentsFixes available
npm/koa<0.21.2
0.21.2
npm/koa>=1.0.0<1.7.1
1.7.1
npm/koa>=3.0.0-alpha.0<3.0.0-alpha.3
3.0.0-alpha.3
npm/koa>=2.0.0<2.15.4
2.15.4
Koa Koa<0.21.2, <1.7.1, <2.15.4, <3.0.0-alpha.3
IBM Concert Software<=1.0.0-1.1.0
Koajs Koa Node.js<0.21.2
Koajs Koa Node.js>=1.0.0<1.7.1
Koajs Koa Node.js>=2.0.0<2.15.4
Koajs Koa Node.js=3.0.0-alpha0
Koajs Koa Node.js=3.0.0-alpha1
Koajs Koa Node.js=3.0.0-alpha2

Remediation

Patch Available

https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c

Patch Available

https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32

Patch Available

https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08

Event History

Feb 12, 2025
CVE Published
via MITRE·05:59 PM
Data Sourced
via MITRE·05:59 PM
DescriptionWeakness
Data Sourced
via NVD·06:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:15 PM
RemedyAffected Software
Advisory Published
via GitHub·07:23 PM
Data Sourced
via GitHub·07:23 PM
DescriptionWeaknessAffected Software
Sep 1, 2025
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2025-25200?

CVE-2025-25200 has a moderate severity level due to its potential to cause Denial-of-Service attacks.

2

How do I fix CVE-2025-25200?

To fix CVE-2025-25200, upgrade Koa to versions 0.21.2, 1.7.1, 2.15.4, or 3.0.0-alpha.3 or later.

3

Which versions of Koa are affected by CVE-2025-25200?

CVE-2025-25200 affects Koa versions prior to 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3.

4

What is the nature of the vulnerability in CVE-2025-25200?

CVE-2025-25200 involves a regex flaw that can be exploited through unsafe parsing of HTTP headers.

5

Can CVE-2025-25200 affect my Node.js application?

Yes, if your application uses an affected version of Koa, it may be vulnerable to Denial-of-Service attacks.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203