CVE-2025-25200

HIGH

Koa <0.21.2, 1.7.1, 2.15.4, 3.0.0-alpha.3 - DoS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-25200. PoCs published by dwictor0.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2025-25200, a Regular Expression Denial of Service (ReDoS) vulnerability in the Koa framework. The exploit demonstrates the vulnerability by sending a crafted HTTP request with a malicious 'X-Forwarded-For' header to a vulnerable Koa server, causing excessive processing time due to backtracking in the regex engine.

Description

Koa is expressive middleware for Node.js using ES2017 async functions. Prior to versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3, Koa uses an evil regex to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This can be exploited to carry out a Denial-of-Service attack. Versions 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 fix the issue.

Exploits (1)

nomisec WORKING POC

by dwictor0 · poc

https://github.com/dwictor0/PoC-CVE-2025-25200

View Code ZIP pw:eip

This repository contains a functional proof-of-concept for CVE-2025-25200, a Regular Expression Denial of Service (ReDoS) vulnerability in the Koa framework. The exploit demonstrates the vulnerability by sending a crafted HTTP request with a malicious 'X-Forwarded-For' header to a vulnerable Koa server, causing excessive processing time due to backtracking in the regex engine.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: Koa >= 2.0.0, < 2.15.4, >= 3.0.0-alpha.0, < 3.0.0-alpha.3, >= 1.0.0, < 1.7.1, < 0.21.2

No auth needed

Prerequisites: Node.js (>= 18) · Go (>= 1.20) · Koa server running on localhost:3000

MITRE ATT&CK