CVE-2026-9495

HIGH

@koa/router < 15.0.0 - Improper Access Control

Title source: rule

Description

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.

References (4)

Core 4

Core References

https://security.snyk.io/vuln/SNYK-JS-KOAROUTER-12215044

https://github.com/koajs/router/issues/202

https://github.com/koajs/router/pull/206

https://github.com/koajs/router/commit/d53e17f284557b1f417946f9807ee52290c3c759

View Patch ZIP pw:eip

Scores

CVSS v3 7.3

EPSS 0.0047

EPSS Percentile 37.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (1)

None/@koa/router 14.0.0 - 15.0.0

Published May 26, 2026

Tracked Since May 26, 2026