Lucene search
+L
FeathersjsFeathers

6 matches found

CVE
CVE
added 2023/07/19 7:45 p.m.2528 views

CVE-2023-37899

CVE-2023-37899 concerns Feathersjs: the socket handler fails to catch invalid string conversion errors (e.g., a crafted toString object), causing Node.js to crash on unexpected Socket.io messages. A fix is available in Feathers versions 5.0.8 and 4.5.18; users should upgrade. There is no known wo...

7.5CVSS7.5AI score0.00963EPSS
CVE
CVE
added 2026/02/21 3:23 a.m.25 views

CVE-2026-27191

Feathersjs (Feathers) Open Redirect in OAuth callback (CVE-2026-27191) affects versions 5.0.39 and earlier where the redirect query parameter is appended to the base origin without validation. This allows an attacker to steal victims’ access tokens via URL authority injection, leading to account ...

7.4CVSS5.6AI score0.00254EPSS
CVE
CVE
added 2026/03/10 8:8 p.m.23 views

CVE-2026-29793

Feathersjs vulnerability CVE-2026-29793 affects Feathersjs 5.0.0–5.0.41 with Socket.IO client-supplied ids not type-checked, which may pass as MongoDB operators (e.g., {$ne: null}) into queries via the MongoDB adapter. This can cause unintended document matches and impacts on confidentiality, int...

9.8CVSS5.9AI score0.00461EPSS
CVE
CVE
added 2026/02/21 4:9 a.m.22 views

CVE-2026-27193

Feathersjs versions ≤ 5.0.39 store all HTTP request headers in the signed but unencrypted session cookie. The complete headers object (including internal proxy/gateway headers, API keys, tokens, and internal IPs) is base64-encoded in the cookie and readable by clients, exposing sensitive infrastr...

8.2CVSS5.5AI score0.00354EPSS
CVE
CVE
added 2026/03/10 8:6 p.m.22 views

CVE-2026-29792

Feathersjs (v5.0.0–5.0.41) is vulnerable to an unauthenticated bypass in the OAuth callback endpoint. A forged profile sent via the query string to /oauth/:provider/callback can trigger a fallback path that reads params.query when Grant’s session/state is empty, allowing an attacker to drive enti...

9.8CVSS5.8AI score0.00519EPSS
Web
CVE
CVE
added 2026/02/21 3:50 a.m.20 views

CVE-2026-27192

Feathersjs vulnerability CVE-2026-27192 affects 5.0.39 and earlier. The origin validation in getAllowedOrigin() uses startsWith() to compare Referer against allowed origins, which can be bypassed by registering a domain with a shared prefix (e.g., https://target.com.attacker.com vs https://target...

8.1CVSS5.7AI score0.0024EPSS