CVE-2026-27192

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401	Patch
https://github.com/feathersjs/feathers/releases/tag/v5.0.40	Product Release Notes
https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:feathersjs:feathers:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2026-02-21 04:15

Updated : 2026-02-25 15:12

NVD link : CVE-2026-27192

Mitre link : CVE-2026-27192

CVE.ORG link : CVE-2026-27192

JSON object : View

Products Affected

feathersjs

feathers

CWE

CWE-346

Origin Validation Error

{"id": "CVE-2026-27192", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-21T04:15:58.697", "references": [{"url": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/feathersjs/feathers/releases/tag/v5.0.40", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-346"}]}], "descriptions": [{"lang": "en", "value": "Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40."}, {"lang": "es", "value": "Feathersjs es un framework para crear APIs web y aplicaciones en tiempo real con TypeScript o JavaScript. En las versiones 5.0.39 e inferiores, la validaci\u00f3n de origen utiliza startsWith() para la comparaci\u00f3n, lo que permite a los atacantes eludir la verificaci\u00f3n al registrar un dominio que comparte un prefijo com\u00fan con un origen permitido. La funci\u00f3n getAllowedOrigin() comprueba si el encabezado Referer comienza con cualquier origen permitido, y esta comparaci\u00f3n es insuficiente ya que solo valida el prefijo. Esto es explotable cuando el array de or\u00edgenes est\u00e1 configurado y un atacante registra un dominio que comienza con una cadena de origen permitida (p. ej., https://target.com.attacker.com elude https://target.com). Por s\u00ed solos, los tokens siguen siendo redirigidos a un origen configurado. Sin embargo, en escenarios espec\u00edficos un atacante puede iniciar el flujo de OAuth desde un origen no autorizado y exfiltrar tokens, logrando una toma de control total de la cuenta. Este problema ha sido solucionado en la versi\u00f3n 5.0.40."}], "lastModified": "2026-02-25T15:12:45.427", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:feathersjs:feathers:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5396E6E0-0D34-409C-A8A6-57AF06A90FEE", "versionEndExcluding": "5.0.40"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}