Koa Host Header Injection Vulnerability in `ctx.hostname` API

A host header injection vulnerability has been identified in Koa versions 3.0.0 through 3.1.1 and 2.16.3 prior to 2.16.4. The issue arises because the `ctx.hostname` API naively parses the HTTP Host header, extracting everything before the first colon without validating the input against RFC 3986 hostname syntax. This flaw allows an attacker to inject a malformed Host header containing a `@` symbol, which `ctx.hostname` incorrectly processes as a valid hostname, returning an attacker-controlled value. This vulnerability can be exploited in applications that use `ctx.hostname` for URL generation, password reset links, email verification URLs, or routing decisions.

Impact

Exploitation of this vulnerability allows for host header injection, where `ctx.hostname` returns a manipulated value controlled by the attacker. This can lead to various attack scenarios, such as poisoning password reset or email verification links, manipulating OAuth callback URLs, or causing web cache poisoning if responses are cached without considering the Host header.

Reproduction

To reproduce this vulnerability, send a request to a Koa application with a malformed Host header that includes a `@` symbol. The application should be configured to trust proxies, allowing the injection to be processed by the `ctx.hostname` API. Once the request is received, the application will generate a response that includes the injected hostname, demonstrating the successful exploitation of the vulnerability.

Remediation

Users can upgrade to Koa versions 3.1.2 or 2.16.4 to address this vulnerability.