Lucene search
+L

4 matches found

CVE
CVE
added 2023/07/19 7:45 p.m.2528 views

CVE-2023-37899

CVE-2023-37899 concerns Feathersjs: the socket handler fails to catch invalid string conversion errors (e.g., a crafted toString object), causing Node.js to crash on unexpected Socket.io messages. A fix is available in Feathers versions 5.0.8 and 4.5.18; users should upgrade. There is no known wo...

7.5CVSS7.5AI score0.00963EPSS
CVE
CVE
added 2026/02/21 3:23 a.m.25 views

CVE-2026-27191

Feathersjs (Feathers) Open Redirect in OAuth callback (CVE-2026-27191) affects versions 5.0.39 and earlier where the redirect query parameter is appended to the base origin without validation. This allows an attacker to steal victims’ access tokens via URL authority injection, leading to account ...

7.4CVSS5.6AI score0.00254EPSS
CVE
CVE
added 2026/02/21 4:9 a.m.22 views

CVE-2026-27193

Feathersjs versions ≤ 5.0.39 store all HTTP request headers in the signed but unencrypted session cookie. The complete headers object (including internal proxy/gateway headers, API keys, tokens, and internal IPs) is base64-encoded in the cookie and readable by clients, exposing sensitive infrastr...

8.2CVSS5.5AI score0.00354EPSS
CVE
CVE
added 2026/02/21 3:50 a.m.20 views

CVE-2026-27192

Feathersjs vulnerability CVE-2026-27192 affects 5.0.39 and earlier. The origin validation in getAllowedOrigin() uses startsWith() to compare Referer against allowed origins, which can be bypassed by registering a domain with a shared prefix (e.g., https://target.com.attacker.com vs https://target...

8.1CVSS5.7AI score0.0024EPSS