CVE-2026-27959

HIGH

Koa 3.0.0-3.1.1 and <2.16.14 - Host Header Injection via ctx.hostname

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-27959. PoCs published by XiaomingX, mlouazir.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2026-27959, demonstrating a hostname-based authentication bypass vulnerability in a Koa.js application. The exploit leverages a misconfiguration in the reverse proxy to trick the backend into accepting requests with a spoofed hostname.

Description

Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27959

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-27959, demonstrating a hostname-based authentication bypass vulnerability in a Koa.js application. The exploit leverages a misconfiguration in the reverse proxy to trick the backend into accepting requests with a spoofed hostname.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Koa.js (version not specified)

No auth needed

Prerequisites: Access to the target application · Ability to manipulate the Host header

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 10, 2026 Full analysis →

nomisec WORKING POC

by mlouazir · poc

https://github.com/mlouazir/CVE-2026-27959-mini-lab

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2026-27959, demonstrating a hostname spoofing vulnerability in a Koa.js application. The lab simulates a scenario where an attacker can bypass reverse proxy restrictions by manipulating the Host header to appear as 'evil.com' while originating from 'localhost'.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Koa.js (version not specified)

No auth needed

Prerequisites: Access to the target application · Ability to modify HTTP headers

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Mar 10, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_confirm

https://github.com/koajs/koa/security/advisories/GHSA-7gcc-r8m5-44qm

Patch x_refsource_misc

https://github.com/koajs/koa/commit/55ab9bab044ead4e82c70a30a4f9dc0fc9c1b6df

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/koajs/koa/commit/b76ddc01fdb703e51652b0fd131d16394cadcfeb

View Patch ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0013

EPSS Percentile 31.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (2)

koajs/koa < 2.16.14

npm/koa 3.0.0 - 3.1.2npm

Published Feb 26, 2026

Tracked Since Feb 26, 2026