Feathersjs Feathers vulnerabilities
6 known vulnerabilities affecting feathersjs/feathers.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH2MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-29792P2CRITICALCVSS 9.8≥ 5.0.0, < 5.0.42v>= 5.0.0, < 5.0.422026-03-10
CVE-2026-29792 [CRITICAL] CWE-287 CVE-2026-29792: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaSc
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reach
nvd
CVE-2026-29793P3CRITICALCVSS 9.8≥ 5.0.0, < 5.0.422026-03-10
CVE-2026-29793 [CRITICAL] CWE-943 CVE-2026-29793: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaSc
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses t
nvd
CVE-2026-27192P3HIGHCVSS 8.1fixed in 5.0.402026-02-21
CVE-2026-27192 [HIGH] CWE-346 CVE-2026-27192: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaSc
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Refer
nvd
CVE-2023-37899P3HIGHCVSS 7.5fixed in 4.5.18≥ 5.0.0, < 5.0.8+1 more2023-07-19
CVE-2023-37899 [HIGH] CWE-754 CVE-2023-37899: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaSc
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' }
nvd
CVE-2026-27193P4MEDIUMCVSS 5.3fixed in 5.0.402026-02-21
CVE-2026-27193 [MEDIUM] CWE-200 CVE-2026-27193: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaSc
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session,
nvd
CVE-2026-27191P4MEDIUMCVSS 6.1fixed in 5.0.402026-02-21
CVE-2026-27191 [MEDIUM] CWE-601 CVE-2026-27191: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaSc
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the vic
nvd