Описание
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol is received, ctx.hostname returns evil[.]com - an attacker-controlled value. Applications using ctx.hostname for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
A flaw was found in Koa’s ctx.hostname API used in Node.js applications. The function incorrectly parses specially crafted HTTP Host headers containing an @ character, which can cause the extracted hostname value to differ from the intended origin. An attacker can exploit this behavior by sending a malicious Host header to influence the hostname value returned by ctx.hostname. Applications that rely on this value for generating absolute URLs, password reset links, or email verification links without additional validation may be susceptible to Host header injection attacks.
Отчет
Red Hat Product Security considers this issue as High severity. A remote, unauthenticated attacker can send a specially crafted HTTP Host header containing a valid RFC 3986 userinfo component (using the @ delimiter). Due to improper parsing of the authority field in the ctx.hostname API, the application may treat attacker-controlled input as the hostname value. Exploitation occurs when the server processes the malicious request and does not require user interaction (UI:N). Applications that rely on ctx.hostname to construct absolute URLs, such as: password reset links, email verification links, OAuth redirect URIs, or webhook endpoints, may generate security sensitive URLs that reference an attacker controlled domain. This can result in integrity violations, including manipulation of authentication flows or account takeover scenarios. Integrity impact is therefore rated High. Confidentiality impact is considered Low because disclosure of sensitive data depends on application-specific usage patterns. The vulnerability does not automatically expose information from the server. However, if an affected application uses the manipulated hostname value to generate security-sensitive links such as password reset or email verification URLs and embeds tokens in those links without additional validation, a victim who later follows such a link may inadvertently disclose those tokens to an attacker controlled domain. Such disclosure is conditional, application-dependent like how the application constructs URLs. Also, the subsequent user interaction beyond the initial exploitation, the confidentiality impact is assessed as Low (C:L).
Меры по смягчению последствий
Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates once they become available.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Developer Hub | rhdh/rhdh-hub-rhel9 | Affected | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-dashboard-rhel9 | Out of support scope | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-mod-arch-gen-ai-rhel9 | Out of support scope | ||
| Red Hat OpenShift AI (RHOAI) | rhoai/odh-mod-arch-model-registry-rhel9 | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-monitoring-plugin-rhel9 | Affected | ||
| Red Hat OpenShift Dev Spaces | devspaces/code-rhel9 | Not affected | ||
| Self-service automation portal 2 | ansible-automation-platform/automation-portal | Affected |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
8.2 High
CVSS3
Связанные уязвимости
Koa is middleware for Node.js using ES2017 async functions. Prior to versions 3.1.2 and 2.16.4, Koa's `ctx.hostname` API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a `@` symbol is received, `ctx.hostname` returns `evil[.]com` - an attacker-controlled value. Applications using `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions are vulnerable to Host header injection attacks. Versions 3.1.2 and 2.16.4 fix the issue.
Koa is middleware for Node.js using ES2017 async functions. Prior to v ...
EPSS
8.2 High
CVSS3