NoSQL Injection

Overview @feathersjs/mongodb is a Feathers MongoDB service adapter Affected versions of this package are vulnerable to NoSQL Injection via the id parameter in WebSocket requests, passed through getObjectId, which fails to perform type checking. An attacker can inject database queries by sending...

GHSA-P9XR-7P9P-GPQX Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method get, patch, update, remove. The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId and land directly in the...

Improper Authentication

Overview @feathersjs/authentication-oauth is an oAuth 1 and 2 authentication for Feathers. Powered by Grant. Affected versions of this package are vulnerable to Improper Authentication via the callback component. An attacker can gain unauthorized access to existing user accounts by sending a...

Feathers has an OAuth Callback Account Takeover issue

An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query the raw request query when Grant's session/state responses are empt...

Feathers 授权问题漏洞

Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. In versions 5.0.0 to 5.0.42 of Feathers, there was an authorization vulnerability. This vulnerability stemmed from the OAuth service’s...

Feathers 安全漏洞

Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. There were security vulnerabilities in versions of Feathers 5.0.0 to 5.0.42. These vulnerabilities stemmed from the lack of type checking ...

CVE-2026-27193 Feathers exposes internal headers via unencrypted session cookie

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth servi...

CVE-2026-27191 Feathers: Open Redirect in OAuth callback enables account takeover

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to...

Feathers 输入验证错误漏洞

Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. Feathers versions 5.0.39 and earlier contain a vulnerability related to input validation errors. This vulnerability arises from redirectin...

Feathers 信息泄露漏洞

Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. Feathers versions 5.0.39 and earlier contained an information leakage vulnerability. This vulnerability stemmed from the fact that all HTT...

Feathers 访问控制错误漏洞

Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. Feathers versions 5.0.39 and earlier have a security vulnerability related to access control. This vulnerability stems from the use of the...

Feathers exposes internal headers via unencrypted session cookie

All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session: javascript //...

GHSA-9M9C-VPV5-9G85 Feathers exposes internal headers via unencrypted session cookie

All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session: javascript //...

GHSA-MP4X-C34X-WV3X Feathers has an origin validation bypass via prefix matching

The origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin. The getAllowedOrigin function checks if the Referer header starts with any allowed origin: javascript //...

Feathers has an origin validation bypass via prefix matching

The origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin. The getAllowedOrigin function checks if the Referer header starts with any allowed origin: javascript //...

EUVD-2022-7026

Malicious code in bioql PyPI...

EUVD-2022-7154

Malicious code in bioql PyPI...

Malicious code in feathers-protectpay (npm)

The package feathers-protectpay was found to contain malicious code...

MAL-2025-20342 Malicious code in feathers-amqp-events (npm)

The package feathers-amqp-events was found to contain malicious code...