Skip to main content

@koa/router EUVDEUVD-2026-31792

| CVE-2026-9495 MEDIUM
Improper Access Control (CWE-284)
2026-05-26 snyk GHSA-47p6-69vm-vw6v
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Source Code Evidence Fetched
Jun 08, 2026 - 11:33 vuln.today
Analysis Generated
Jun 08, 2026 - 11:33 vuln.today
Severity Changed
May 26, 2026 - 13:37 NVD
HIGH MEDIUM
CVSS changed
May 26, 2026 - 13:37 NVD
7.3 (HIGH) 5.5 (MEDIUM)
Patch available
May 26, 2026 - 08:02 EUVD

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 62 npm packages depend on @koa/router (50 direct, 12 indirect)

Ecosystem-wide dependent count for version 14.0.0.

DescriptionCVE.org

Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an attacker could bypass authentication and authorization, evade rate limiting or bypass input sanitization.

AnalysisAI

{ prefix: '/:category' })`), enabling complete bypass of whatever protection that middleware was intended to enforce - authentication, authorization, rate limiting, or input sanitization. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is remotely exploitable with no authentication or user interaction required, and SSVC classifies it as automatable. Publicly available exploit code exists per SSVC classification; EPSS is low at 0.09% (25th percentile), suggesting limited widespread exploitation at time of analysis.

Technical ContextAI

The vulnerability resides in @koa/router, the official routing middleware for Koa.js (Node.js). The root cause class is CWE-284 (Improper Access Control), specifically a logic defect in how parameterized route prefixes interact with middleware path registration. In lib/layer.js, the path existence check was implemented as a JavaScript falsy check (if (this.path)) rather than a strict type guard (if (typeof this.path === 'string')). Separately, lib/router.js registered path-less .use() middleware with a fallback of '([^/]*)' and pathAsRegExp: true. When a router prefix contains path parameters (e.g., /:category), the prefix is compiled to a RegExp internally; the falsy checks then evaluate the RegExp object as truthy in some branches and handle it incorrectly in others, causing the middleware to be registered under a pattern that never matches actual requests. The middleware is silently skipped with no error. The fix in PR #206 corrects both the type checks in layer.js and replaces the '([^/]*)' fallback with an empty string '' while computing pathAsRegExp based on whether the original path was a RegExp instance. CPE: cpe:2.3:a:n/a:@koa/router:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade @koa/router to version 15.0.0 or later, which incorporates the fix from commit d53e17f284557b1f417946f9807ee52290c3c759 merged via PR #206 (https://github.com/koajs/router/pull/206). Run npm install @koa/router@>=15.0.0 or update the version constraint in package.json accordingly. Note: the fix version 15.0.0 is inferred from the EUVD affected range - verify the exact available release against the npm registry before deploying. If an immediate upgrade is blocked by breaking changes in v15, a targeted workaround is to avoid parameterized router prefixes entirely and instead restructure middleware to be applied per-route explicitly rather than at the router level; this trade-off requires code restructuring and introduces risk of missing middleware coverage on newly added routes. Alternatively, move security-critical middleware (authentication, authorization) to the application level via app.use() rather than router.use(), which bypasses this bug - note this changes middleware scoping and may affect route-specific logic. Snyk advisory: https://security.snyk.io/vuln/SNYK-JS-KOAROUTER-12215044.

Share

EUVD-2026-31792 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy