CVE-2026-29792 in Feathersjs
Summary
by MITRE • 03/10/2026
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant's session/state responses are empty. Since the attacker never initiated an OAuth authorize flow, Grant has no session to work with and produces no response, so the fallback fires. The forged profile then drives entity lookup and JWT minting. The attacker gets a valid access token for an existing user without ever contacting the OAuth provider. This vulnerability is fixed in 5.0.42.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/19/2026
This vulnerability exists within the Feathersjs framework version 5.0.0 through 5.0.41, representing a critical authentication bypass flaw that allows unauthenticated attackers to forge valid access tokens without interacting with legitimate OAuth providers. The issue stems from improper handling of OAuth callback endpoints where the framework's authentication flow fails to properly validate the authenticity of incoming requests. When an attacker sends a crafted GET request to the /oauth/:provider/callback endpoint with a forged profile in the query string, the system's fallback mechanism activates because Grant's session and state validation mechanisms cannot verify the request origin due to the absence of a legitimate OAuth authorization flow initiation.
The technical flaw manifests in the OAuth service's authentication payload processing logic where the system implements a fallback chain that ultimately relies on params.query for authentication decisions when Grant's session and state responses are empty or invalid. This design creates a dangerous condition where attacker-controlled query parameters can directly influence the authentication process, bypassing all normal OAuth security mechanisms. The vulnerability specifically targets the lack of proper session validation and authentication state verification, allowing the framework to accept forged user profiles from query strings and proceed with entity lookup and JWT token generation. This represents a classic case of insecure direct object reference combined with improper authentication flow validation.
The operational impact of this vulnerability is severe as it enables attackers to obtain valid access tokens for existing users without any legitimate OAuth provider interaction or user credentials. This creates a persistent security risk where unauthorized parties can gain legitimate access to user accounts and their associated privileges within the application. The attack requires minimal effort and can be executed entirely through HTTP requests, making it particularly dangerous for applications that rely on OAuth for user authentication. The vulnerability essentially allows for privilege escalation and unauthorized access to protected resources, potentially leading to data breaches, account takeovers, and further lateral movement within the application environment.
Organizations using Feathersjs versions between 5.0.0 and 5.0.41 should immediately upgrade to version 5.0.42 or later to remediate this vulnerability. The fix addresses the core issue by implementing proper session validation and authentication state checking before allowing fallback mechanisms to process attacker-controlled query parameters. Security teams should also implement monitoring for unusual OAuth callback requests and consider additional authentication layers such as rate limiting and request origin validation. This vulnerability aligns with CWE-287 (Improper Authentication) and ATT&CK technique T1078 (Valid Accounts) as it enables unauthorized access through forged authentication tokens. The issue demonstrates the importance of proper input validation and session management in authentication flows, particularly in frameworks that handle complex OAuth integrations where multiple authentication paths exist.