Koa Router Middleware Bypass via Path Parameters

CVE-2026-9495 is an access control bypass vulnerability in @koa/router versions 14.0.0 through 14.x that occurs when a router prefix contains path parameters. The middleware protection chain is silently dropped from execution, allowing attackers to bypass critical security controls including authentication, authorization, rate limiting, and input sanitization. This affects any application using vulnerable versions of @koa/router where security middleware is configured with parameterized prefixes, making it a high-severity issue (CVSS 7.3) with broad impact across Node.js web applications that rely on this popular routing library.

While this CVE maps to CWE-284 (Improper Access Control), Casky's platform would detect the attack patterns through behavioral analysis of middleware execution chains and route handling anomalies. A practitioner using Casky would observe findings related to unexpected middleware bypass patterns, unauthenticated requests reaching protected endpoints, and inconsistent security control enforcement across router instances. Claude's extended reasoning capability would correlate these signals to identify the root cause: path parameter injection in router prefix configurations that trigger silent middleware elimination. Although this CVE doesn't currently map to MITRE ATT&CK techniques, practitioners should monitor for T1190 (Exploit Public-Facing Application) and T1134 (Access Token Manipulation) patterns in their security logs, as attackers would leverage the authentication bypass to gain unauthorized access.