CVE-2025-25200
Regex Denial-of-Service vulnerability in koa
What is CVE-2025-25200 About?
This is a Regex Denial-of-Service (ReDoS) vulnerability in the Koa framework, caused by an inefficient regular expression used to parse `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. It allows attackers to exhaust memory resources. Exploitation is achieved by injecting specially crafted header values.
Affected Software
- koa
- >3.0.0-alpha.0, <3.0.0-alpha.3
- <0.21.2
- >1.0.0, <1.7.1
- >2.0.0, <2.15.4
Technical Details
The Koa framework uses a vulnerable regular expression to parse the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers. This specific regex exhibits problematic behavior when confronted with specially crafted input, leading to excessive backtracking and exponential time complexity. An attacker can send HTTP requests with malformed or overly long values in these forwarded headers. When Koa attempts to parse these headers using the inefficient regex, it can lead to significantly increased CPU usage and memory exhaustion. This resource depletion can result in a Denial-of-Service (DoS) condition, making the application unresponsive or causing it to crash due to memory exhaustion.
What is the Impact of CVE-2025-25200?
Successful exploitation may allow attackers to cause a denial of service by consuming excessive memory resources, leading to application unresponsiveness or crashes.
What is the Exploitability of CVE-2025-25200?
Exploiting this ReDoS vulnerability involves crafting specific values for the `X-Forwarded-Proto` and `X-Forwarded-Host` HTTP headers that trigger exponential complexity in Koa's regex parser. The complexity is moderate, requiring an understanding of regex behavior and how to create pathological inputs. No authentication is required, as the attack occurs at the HTTP header parsing stage before application-level authentication. No special privileges are needed. This is a remote attack, as an attacker can send a malicious HTTP request to the vulnerable Koa application. The primary constraint is that the application must be accepting and processing these forwarded headers. The risk of exploitation increases if the Koa application is directly exposed to the internet or processes untrusted HTTP requests.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-25200?
About the Fix from Resolved Security
This patch replaces direct use of .split(/\s,\s/) with a new splitCommaSeparatedValues function, ensuring that each individual value from a comma-separated header string is properly trimmed of whitespace. This change fixes vulnerability CVE-2025-25200 by preventing header injection or bypass attacks that could exploit improperly handled whitespace, thereby ensuring more reliable and secure header parsing.
Available Upgrade Options
- koa
- <0.21.2 → Upgrade to 0.21.2
- koa
- >1.0.0, <1.7.1 → Upgrade to 1.7.1
- koa
- >2.0.0, <2.15.4 → Upgrade to 2.15.4
- koa
- >3.0.0-alpha.0, <3.0.0-alpha.3 → Upgrade to 3.0.0-alpha.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/koajs/koa/commit/93fe903fc966635a991bcf890cfc3427d33a1a08
- https://github.com/koajs/koa
- https://osv.dev/vulnerability/GHSA-593f-38f6-jp5m
- https://github.com/koajs/koa/blob/master/lib/request.js#L404
- https://github.com/koajs/koa/commit/5054af6e31ffd451a4151a1fe144cef6e5d0d83c
- https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m
- https://github.com/koajs/koa/blob/master/lib/request.js#L259
- https://github.com/koajs/koa/security/advisories/GHSA-593f-38f6-jp5m
- https://github.com/koajs/koa/releases/tag/2.15.4
- https://github.com/koajs/koa/commit/5f294bb1c7c8d9c61904378d250439a321bffd32
What are Similar Vulnerabilities to CVE-2025-25200?
Similar Vulnerabilities: CVE-2023-41042 , CVE-2023-49506 , CVE-2023-47000 , CVE-2023-46879 , CVE-2023-46746
