@koa/router Access Control Bypass Vulnerability

A vulnerability allowing access control bypass has been identified in the @koa/router package, specifically in versions 14.0.0 prior to 15.0.0. This issue arises because middleware is silently omitted from the execution chain when the router prefix includes path parameters. As a result, an attacker could potentially bypass authentication and authorization, evade rate limiting, or circumvent input sanitization, depending on the purpose of the skipped middleware.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed, such as bypassing authentication and authorization checks, evading rate limits, or skipping input validation, all of which could be exploited to manipulate application behavior or access sensitive information.

Reproduction

To reproduce this vulnerability, create a router with a prefix that includes path parameters and apply middleware using the .use() method. The middleware will not execute for routes under this router, despite being correctly registered.

Remediation

Upgrade @koa/router to version 15.0.0 or higher.