Koa — CVE history (npm)
Koa
5 CVEs affect the Koa npm package (highest CVSS 7.5). Latest disclosed: 2026-02-26. Full CVE history sourced from NVD.
Summary
- Package
Koa(npm)- Total CVEs
5- Actively exploited (CISA KEV)
- 0
- Highest CVSS
7.5- Latest disclosed
- 2026-02-26
Recent CVEs (top 5)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-27959 | High | 7.5 | — | 2026-02-26 | Koa is middleware for Node.js using ES2017 async functions. |
CVE-2025-62595 | Medium | 4.3 | — | 2025-10-21 | Koa is expressive middleware for Node.js using ES2017 async functions. |
CVE-2025-8129 | Low | 3.5 | — | 2025-07-25 | A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. |
CVE-2025-32379 | Medium | 5.0 | — | 2025-04-09 | Koa is expressive middleware for Node.js using ES2017 async functions. |
CVE-2025-25200 | High | 7.5 | — | 2025-02-12 | Koa is expressive middleware for Node.js using ES2017 async functions. |
All-time worst (top 5 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2026-27959 | High | 7.5 | — | 2026-02-26 | Koa is middleware for Node.js using ES2017 async functions. |
CVE-2025-25200 | High | 7.5 | — | 2025-02-12 | Koa is expressive middleware for Node.js using ES2017 async functions. |
CVE-2025-32379 | Medium | 5.0 | — | 2025-04-09 | Koa is expressive middleware for Node.js using ES2017 async functions. |
CVE-2025-62595 | Medium | 4.3 | — | 2025-10-21 | Koa is expressive middleware for Node.js using ES2017 async functions. |
CVE-2025-8129 | Low | 3.5 | — | 2025-07-25 | A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. |