Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 62 npm packages depend on @koa/router (50 direct, 12 indirect)
Ecosystem-wide dependent count for version 14.0.0.
DescriptionCVE.org
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.
AnalysisAI
{ prefix: '/:category' })`), enabling complete bypass of whatever protection that middleware was intended to enforce - authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is remotely exploitable with no authentication or user interaction required, and SSVC classifies it as automatable. Publicly available exploit code exists per SSVC classification; EPSS is low at 0.09% (25th percentile), suggesting limited widespread exploitation at time of analysis.
Technical ContextAI
The vulnerability resides in @koa/router, the official routing middleware for Koa.js (Node.js). The root cause class is CWE-284 (Improper Access Control), specifically a logic defect in how parameterized route prefixes interact with middleware path registration. In lib/layer.js, the path existence check was implemented as a JavaScript falsy check (if (this.path)) rather than a strict type guard (if (typeof this.path === 'string')). Separately, lib/router.js registered path-less .use() middleware with a fallback of '([^/]*)' and pathAsRegExp: true. When a router prefix contains path parameters (e.g., /:category), the prefix is compiled to a RegExp internally; the falsy checks then evaluate the RegExp object as truthy in some branches and handle it incorrectly in others, causing the middleware to be registered under a pattern that never matches actual requests. The middleware is silently skipped with no error. The fix in PR #206 corrects both the type checks in layer.js and replaces the '([^/]*)' fallback with an empty string '' while computing pathAsRegExp based on whether the original path was a RegExp instance. CPE: cpe:2.3:a:n/a:@koa/router:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade @koa/router to version 15.0.0 or later, which incorporates the fix from commit d53e17f284557b1f417946f9807ee52290c3c759 merged via PR #206 (https://github.com/koajs/router/pull/206). Run npm install @koa/router@>=15.0.0 or update the version constraint in package.json accordingly. Note: the fix version 15.0.0 is inferred from the EUVD affected range - verify the exact available release against the npm registry before deploying. If an immediate upgrade is blocked by breaking changes in v15, a targeted workaround is to avoid parameterized router prefixes entirely and instead restructure middleware to be applied per-route explicitly rather than at the router level; this trade-off requires code restructuring and introduces risk of missing middleware coverage on newly added routes. Alternatively, move security-critical middleware (authentication, authorization) to the application level via app.use() rather than router.use(), which bypasses this bug - note this changes middleware scoping and may affect route-specific logic. Snyk advisory: https://security.snyk.io/vuln/SNYK-JS-KOAROUTER-12215044.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31792
GHSA-47p6-69vm-vw6v