{"url":"http://public2.vulnerablecode.io/api/packages/74144?format=json","purl":"pkg:npm/%40feathersjs/authentication-oauth@5.0.40","type":"npm","namespace":"@feathersjs","name":"authentication-oauth","version":"5.0.40","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"5.0.42","latest_non_vulnerable_version":"5.0.42","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50257?format=json","vulnerability_id":"VCID-atvx-pz7x-zkak","summary":"Feathers has an open redirect in OAuth callback enables account takeover\nThe `redirect` query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them.\n\nThe application constructs the final redirect URL by concatenating the base origin with the user-supplied `redirect` parameter:\n```javascript\n// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L158C3-L176C4\nconst { redirect } = query;\n...\nsession.redirect = redirect;\n\n// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L98\nconst redirectUrl = `${redirect}${queryRedirect}`;\n```\n\nWhere:\n- `redirect` = base origin from config (e.g., `https://target.com`)\n- `queryRedirect` = user input from `?redirect=` parameter\n\nThis is exploitable when the `origins` array is configured and origin values do not end with `/`.  An attacker can supply `@attacker.com` as the redirect value results in `https://target.com@attacker.com#access_token=...`, where the browser interprets `attacker.com` as the host, leading to full account takeover.\n\n**Credits**:  Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.","references":[{"reference_url":"https://github.com/feathersjs/feathers","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers"},{"reference_url":"https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"},{"reference_url":"https://github.com/feathersjs/feathers/releases/tag/v5.0.40","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/releases/tag/v5.0.40"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27191","reference_id":"CVE-2026-27191","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27191"},{"reference_url":"https://github.com/advisories/GHSA-ppf9-4ffw-hh4p","reference_id":"GHSA-ppf9-4ffw-hh4p","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-ppf9-4ffw-hh4p"},{"reference_url":"https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p","reference_id":"GHSA-ppf9-4ffw-hh4p","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74144?format=json","purl":"pkg:npm/%40feathersjs/authentication-oauth@5.0.40","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540feathersjs/authentication-oauth@5.0.40"}],"aliases":["CVE-2026-27191","GHSA-ppf9-4ffw-hh4p"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-atvx-pz7x-zkak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50241?format=json","vulnerability_id":"VCID-bffn-qsdh-53gx","summary":"Feathers exposes internal headers via unencrypted session cookie\nAll HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients.\n\nThe OAuth service stores the complete headers object in the session:\n```javascript\n// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L173\nsession.headers = headers;\n```\n\nThe session is persisted using `cookie-session`, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value.\n\nUnder specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses.\n\n**Credits**:  Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.","references":[{"reference_url":"https://github.com/feathersjs/feathers","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers"},{"reference_url":"https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"},{"reference_url":"https://github.com/feathersjs/feathers/releases/tag/v5.0.40","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/releases/tag/v5.0.40"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27193","reference_id":"CVE-2026-27193","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27193"},{"reference_url":"https://github.com/advisories/GHSA-9m9c-vpv5-9g85","reference_id":"GHSA-9m9c-vpv5-9g85","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-9m9c-vpv5-9g85"},{"reference_url":"https://github.com/feathersjs/feathers/security/advisories/GHSA-9m9c-vpv5-9g85","reference_id":"GHSA-9m9c-vpv5-9g85","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/security/advisories/GHSA-9m9c-vpv5-9g85"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74144?format=json","purl":"pkg:npm/%40feathersjs/authentication-oauth@5.0.40","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540feathersjs/authentication-oauth@5.0.40"}],"aliases":["CVE-2026-27193","GHSA-9m9c-vpv5-9g85"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bffn-qsdh-53gx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50267?format=json","vulnerability_id":"VCID-k776-tjp4-fbeq","summary":"Feathers has an origin validation bypass via prefix matching\nThe origin validation uses `startsWith()` for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.\n\nThe `getAllowedOrigin()` function checks if the Referer header starts with any allowed origin:\n```javascript\n// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L75\nconst allowedOrigin = origins.find((current) => referer.toLowerCase().startsWith(current.toLowerCase()));\n```\n\nThis comparison is insufficient as it only validates the prefix. This is exploitable when the `origins` array is configured and an attacker registers a domain starting with an allowed origin string (e.g., `https://target.com.attacker.com` bypasses `https://target.com`).\n\nOn its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover.\n\n**Credits**:  Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.","references":[{"reference_url":"https://github.com/feathersjs/feathers","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers"},{"reference_url":"https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"},{"reference_url":"https://github.com/feathersjs/feathers/releases/tag/v5.0.40","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/releases/tag/v5.0.40"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27192","reference_id":"CVE-2026-27192","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27192"},{"reference_url":"https://github.com/advisories/GHSA-mp4x-c34x-wv3x","reference_id":"GHSA-mp4x-c34x-wv3x","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-mp4x-c34x-wv3x"},{"reference_url":"https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x","reference_id":"GHSA-mp4x-c34x-wv3x","reference_type":"","scores":[],"url":"https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74144?format=json","purl":"pkg:npm/%40feathersjs/authentication-oauth@5.0.40","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540feathersjs/authentication-oauth@5.0.40"}],"aliases":["CVE-2026-27192","GHSA-mp4x-c34x-wv3x"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k776-tjp4-fbeq"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540feathersjs/authentication-oauth@5.0.40"}