Koa: Where can I report vulnerability details?

u can email me at [email protected]

i'll add my email in the docs for reporting vulnerabilities

Hi, I have sent the vulnerability detail, please check it!

@orangetw @jonathanong it would be very interesting for everyone to know what exactly is the vulnerability about and what can get compromised and if we as koa users can do anything to protect ourselves..

@maticrivo I believe reporting to maintainers in advance is the right approach. Further details may be revealed after there's a fix.

@dotnil of course, I'm saying after they review it and fix/patch the vulnerability

any update you can share about this?

i've received two reports. one is not about koa itself but one of its middleware (which is this issue). another is about setting headers, which was vague because they didn't describe the actual attack. yeah, a client can set whatever headers they want...

thanks for the update @jonathanong

yeah, a client can set whatever headers they want...

@jonathanong I can't seem to find the comment, but vaguely recall semi-consensus around adding some form of app.trustHeaderfield() API?

I would also add a possibility of spoofing an IP address when behind an Nginx server: https://github.com/koajs/koa/issues/599#issuecomment-239493311

Although, technically the documentation says, that it uses X-Forwarded-For to determine the IP address, and an Nginx user should be aware, that X-Forwarded-For is spoofable (to work with even more external proxies), but I don't think many people know that. ctx.ip seems like a safe way to determine the IP address of the client, and most of the times it is, but not when behind Nginx.
I don't know, whose responsibility it is to educate about this potential vulnerability, so I just put it here.