Feathers
CVE-2026-27192
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.
AnalysisAI
Origin validation bypass in Feathers framework versions 5.0.39 and below allows remote attackers to hijack OAuth tokens by registering domains with a common prefix to legitimate allowed origins, exploiting insufficient string comparison in the getAllowedOrigin() function. An attacker can craft a domain like https://target.com.attacker.com to bypass validation configured for https://target.com and intercept authentication credentials. This affects iOS applications and systems using vulnerable Feathers versions, though exploitation requires specific OAuth flow configurations.
Technical ContextAI
Classified as CWE-346 (Origin Validation Error). Affects Feathers. Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 5.0.40.. Restrict network access to the affected service where possible.
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Rated high sev
Feathersjs versions 5.0.39 and below contain an open redirect vulnerability in the redirect query parameter that fails t
Feathersjs versions 5.0.39 and below store unencrypted HTTP headers in base64-encoded session cookies, allowing attacker
Same weakness CWE-346 – Origin Validation Error
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-mp4x-c34x-wv3x