Skip to main content

Feathers CVE-2026-27192

HIGH
Origin Validation Error (CWE-346)
2026-02-21 security-advisories@github.com GHSA-mp4x-c34x-wv3x
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 22:04 vuln.today
Patch released
Feb 25, 2026 - 15:12 nvd
Patch available
CVE Published
Feb 21, 2026 - 04:15 nvd
HIGH 8.1

DescriptionGitHub Advisory

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.

AnalysisAI

Origin validation bypass in Feathers framework versions 5.0.39 and below allows remote attackers to hijack OAuth tokens by registering domains with a common prefix to legitimate allowed origins, exploiting insufficient string comparison in the getAllowedOrigin() function. An attacker can craft a domain like https://target.com.attacker.com to bypass validation configured for https://target.com and intercept authentication credentials. This affects iOS applications and systems using vulnerable Feathers versions, though exploitation requires specific OAuth flow configurations.

Technical ContextAI

Classified as CWE-346 (Origin Validation Error). Affects Feathers. Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 5.0.40.. Restrict network access to the affected service where possible.

Share

CVE-2026-27192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy