Skip to main content

MongoDB CVE-2026-29793

Improper Neutralization of Special Elements in Data Query Logic (CWE-943)
2026-03-10 security-advisories@github.com GHSA-p9xr-7p9p-gpqx

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
CVE Published
Mar 10, 2026 - 20:16 nvd
N/A

DescriptionCVE.org

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42.

AnalysisAI

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id mat...

Technical ContextAI

This vulnerability (CWE-943: Improper Neutralization of Special Elements in Data Query Logic) affects Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to. Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matche

Affected ProductsAI

Product: Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to. Versions: up to 5.0.42.

RemediationAI

Fixed in version 5.0.42..

CVE-2013-1892 MEDIUM POC
6.0 Oct 01

MongoDB before 2.0.9 and 2.2.x before 2.2.4 does not properly validate requests to the nativeHelper function in SpiderMo

CVE-2013-3969 MEDIUM POC
6.5 Oct 01

The find prototype in scripting/engine_v8.h in MongoDB 2.4.0 through 2.4.4 allows remote authenticated users to cause a

CVE-2026-25887 HIGH POC
7.2 Mar 06

Remote code execution in Chartbrew versions prior to 4.8.1 allows authenticated attackers with high privileges to execut

CVE-2019-2386 HIGH POC
7.1 Aug 06

After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's

CVE-2012-6619 MEDIUM POC
6.4 Mar 06

The default configuration for MongoDB before 2.3.2 does not validate objects, which allows remote authenticated users to

CVE-2026-3431 CRITICAL
9.8 Mar 02

SimStudio below 0.5.74 has a missing authorization on MongoDB tool endpoints that allows attackers to execute arbitrary

CVE-2024-8654 CRITICAL
9.8 Sep 10

MongoDB Server may access non-initialized region of memory leading to unexpected behaviour when zero arguments are calle

CVE-2024-1351 CRITICAL
9.8 Mar 07

Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation which ma

CVE-2021-20333 MEDIUM POC
5.3 Jul 23

Sending specially crafted commands to a MongoDB Server may result in artificial log entries being generated or for log e

CVE-2017-15535 CRITICAL
9.1 Nov 01

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompr

CVE-2020-2268 HIGH
8.8 Sep 16

A cross-site request forgery (CSRF) vulnerability in Jenkins MongoDB Plugin 1.3 and earlier allows attackers to gain acc

CVE-2013-2132 MEDIUM POC
4.3 Aug 15

bson/_cbsonmodule.c in the mongo-python-driver (aka. Rated medium severity (CVSS 4.3), this vulnerability is remotely ex

Share

CVE-2026-29793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy