Feathers
CVE-2026-27193
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. This issue has been fixed in version 5.0.40.
AnalysisAI
Feathersjs versions 5.0.39 and below store unencrypted HTTP headers in base64-encoded session cookies, allowing attackers with network access to decode and retrieve sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. Authenticated users can exploit this vulnerability in deployments behind reverse proxies or API gateways to gain unauthorized access to sensitive information. A patch is available for affected installations.
Technical ContextAI
Classified as CWE-200 (Information Exposure). Affects Feathers. Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are
RemediationAI
A vendor patch is available — apply it immediately. Fixed in version 5.0.40.. Restrict network access to the affected service where possible.
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Rated high sev
Origin validation bypass in Feathers framework versions 5.0.39 and below allows remote attackers to hijack OAuth tokens
Feathersjs versions 5.0.39 and below contain an open redirect vulnerability in the redirect query parameter that fails t
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-9m9c-vpv5-9g85