CVE-2025-25200: Koa has Inefficient Regular Expression Complexity

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-25200

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Koa has Inefficient Regular Expression Complexity

Source: NVD (National Vulnerability Database)

Vulnerability Description

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.

Source: NVD (National Vulnerability Database)

CVSS Information

N/A

Source: NVD (National Vulnerability Database)

Vulnerability Type

CWE-1333

Source: NVD (National Vulnerability Database)

Vulnerability Title

Koa 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Koa是Koa.js开源的一个中间件。 Koa存在安全漏洞，该漏洞源于使用恶意正则表达式来解析X-Forwarded-Proto和X-Forwarded-HostHTTP 标头。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
koajs	koa	< 0.21.2	-

II. Public POCs for CVE-2025-25200

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2025-25200

Please Login to view more intelligence information

https://github.com/koajs/koa/releases/tag/2.15.4x_refsource_MISC
https://github.com/koajs/koa/blob/master/lib/request.js#L259x_refsource_MISC
https://github.com/koajs/koa/blob/master/lib/request.js#L404x_refsource_MISC
https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5mx_refsource_CONFIRM
https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32x_refsource_MISC
https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83cx_refsource_MISC
https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08x_refsource_MISC
https://nvd.nist.gov/vuln/detail/CVE-2025-25200

IV. Related Vulnerabilities

Same product: koa

Same vendor: koajs

Same weakness: CWE-1333

V. Comments for CVE-2025-25200

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2025-25200

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2025-25200

III. Intelligence Information for CVE-2025-25200

IV. Related Vulnerabilities

V. Comments for CVE-2025-25200

Leave a comment