CVE-2025-25200
📋 TL;DR
Koa middleware for Node.js versions prior to 0.21.2, 1.7.1, 2.15.4, and 3.0.0-alpha.3 contain a regular expression denial-of-service (ReDoS) vulnerability in how they parse X-Forwarded-Proto and X-Forwarded-Host HTTP headers. Attackers can send specially crafted headers to cause excessive CPU consumption and service unavailability. All applications using vulnerable Koa versions are affected.
💻 Affected Systems
- Koa
📦 What is this software?
Koa by Koajs
Koa by Koajs
Koa by Koajs
Koa by Koajs
Koa by Koajs
Koa by Koajs
⚠️ Risk & Real-World Impact
Worst Case
Complete service outage with high CPU consumption leading to application unavailability for all users.
Likely Case
Degraded performance and intermittent service disruptions under attack.
If Mitigated
Minimal impact with proper rate limiting and header validation in place.
🎯 Exploit Status
Exploitation requires sending HTTP requests with malicious X-Forwarded headers. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.21.2, 1.7.1, 2.15.4, or 3.0.0-alpha.3
Vendor Advisory: https://github.com/koajs/koa/security/advisories
Restart Required: Yes
Instructions:
1. Check current Koa version with 'npm list koa'. 2. Update to patched version: 'npm update koa@latest' or specify exact version. 3. Restart Node.js application. 4. Verify fix with version check.
🔧 Temporary Workarounds
Header Validation Middleware
allAdd custom middleware to validate or strip X-Forwarded headers before Koa processes them.
// Add this middleware before other Koa middleware
app.use(async (ctx, next) => {
// Remove or validate X-Forwarded headers
delete ctx.headers['x-forwarded-proto'];
delete ctx.headers['x-forwarded-host'];
await next();
});
Rate Limiting
allImplement rate limiting to prevent excessive header attacks.
npm install koa-ratelimit
// Configure rate limiting middleware
🧯 If You Can't Patch
- Implement reverse proxy or WAF to filter malicious X-Forwarded headers before they reach Koa.
- Deploy application-level rate limiting to restrict request frequency from single sources.
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list koa' to see installed version. Compare against vulnerable versions.Check Version:
npm list koa | grep koaVerify Fix Applied:
After update, run 'npm list koa' to confirm version is 0.21.2, 1.7.1, 2.15.4, or 3.0.0-alpha.3 or higher.📡 Detection & Monitoring
Log Indicators:
- High CPU usage spikes
- Increased request processing time
- Multiple requests with X-Forwarded headers from same source
Network Indicators:
- HTTP requests containing X-Forwarded-Proto or X-Forwarded-Host headers with unusual patterns
SIEM Query:
source="web_logs" AND (header="X-Forwarded-Proto" OR header="X-Forwarded-Host") AND request_time > 5s🔗 References
- https://github.com/koajs/koa/blob/master/lib/request.js#L259
- https://github.com/koajs/koa/blob/master/lib/request.js#L404
- https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c
- https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32
- https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08
- https://github.com/koajs/koa/releases/tag/2.15.4
- https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m
