4 matches found
CVE-2023-37899
CVE-2023-37899 concerns Feathersjs: the socket handler fails to catch invalid string conversion errors (e.g., a crafted toString object), causing Node.js to crash on unexpected Socket.io messages. A fix is available in Feathers versions 5.0.8 and 4.5.18; users should upgrade. There is no known wo...
CVE-2026-27191
Feathersjs (Feathers) Open Redirect in OAuth callback (CVE-2026-27191) affects versions 5.0.39 and earlier where the redirect query parameter is appended to the base origin without validation. This allows an attacker to steal victims’ access tokens via URL authority injection, leading to account ...
CVE-2026-27193
Feathersjs versions ≤ 5.0.39 store all HTTP request headers in the signed but unencrypted session cookie. The complete headers object (including internal proxy/gateway headers, API keys, tokens, and internal IPs) is base64-encoded in the cookie and readable by clients, exposing sensitive infrastr...
CVE-2026-27192
Feathersjs vulnerability CVE-2026-27192 affects 5.0.39 and earlier. The origin validation in getAllowedOrigin() uses startsWith() to compare Referer against allowed origins, which can be bypassed by registering a domain with a shared prefix (e.g., https://target.com.attacker.com vs https://target...