Plattform
nodejs
Komponente
@feathersjs/authentication-oauth
Behoben in
5.0.1
5.0.1
5.0.42
CVE-2026-29792 describes a critical authentication bypass vulnerability within the @feathersjs/authentication-oauth component of FeathersJS. This flaw allows an unauthenticated attacker to craft a malicious GET request and obtain a valid access token for an existing user without initiating a proper OAuth authorization flow. The vulnerability impacts versions prior to 5.0.42 and requires immediate attention to prevent unauthorized access and potential data breaches.
The impact of CVE-2026-29792 is severe. An attacker can leverage this vulnerability to impersonate legitimate users within the FeathersJS application. By forging the OAuth profile in the query string of a GET request to /oauth/:provider/callback, they bypass the authentication process and obtain a valid access token. This token grants them access to the affected user's data and functionality, potentially enabling them to perform actions on behalf of the user, including data modification, deletion, or exfiltration. The lack of authentication required for exploitation significantly broadens the attack surface, making it accessible to a wide range of threat actors.
CVE-2026-29792 was publicly disclosed on 2026-03-10. While no public proof-of-concept (PoC) has been released as of this writing, the vulnerability's ease of exploitation and the potential for significant impact suggest a medium probability of exploitation (EPSS score likely medium). It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Applications built with FeathersJS that utilize the @feathersjs/authentication-oauth package for OAuth authentication are at risk. This includes applications with legacy configurations that do not properly validate OAuth callback requests or those relying on shared hosting environments where the application's security posture may be less controlled. Specifically, applications using older versions of FeathersJS and its authentication modules are most vulnerable.
• nodejs / server:
ps aux | grep feathersjs
find / -name "@feathersjs/authentication-oauth*" -exec ls -l {} +• generic web:
curl -I https://your-feathersjs-app.com/oauth/:provider/callback?profile=malicious_profile
grep "200 OK" /var/log/apache2/access.log | grep "/oauth/:provider/callback"disclosure
Exploit-Status
EPSS
0.05% (16% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-29792 is to upgrade the @feathersjs/authentication-oauth package to version 5.0.42 or later. This version includes a fix that prevents the fallback to the raw request query for authentication payload data. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to /oauth/:provider/callback with suspicious query parameters. Thoroughly review and restrict access to the OAuth callback endpoint, ensuring only trusted sources can initiate OAuth flows. After upgrading, confirm the fix by attempting to access the /oauth/:provider/callback endpoint with a forged profile in the query string; the request should be rejected.
Aktualisieren Sie Feathersjs auf Version 5.0.42 oder höher. Diese Version behebt die Authentifizierungs-Bypass-Schwachstelle im OAuth-Callback. Das Update verhindert, dass nicht authentifizierte Angreifer unautorisierten Zugriff auf Benutzerkonten erhalten.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-29792 is a critical vulnerability in FeathersJS OAuth allowing unauthenticated attackers to forge profiles and obtain access tokens for existing users, impacting versions before 5.0.42.
You are affected if your FeathersJS application uses the @feathersjs/authentication-oauth package and is running a version prior to 5.0.42. Immediate action is required.
Upgrade the @feathersjs/authentication-oauth package to version 5.0.42 or later. Consider WAF rules as a temporary mitigation if upgrading is not immediately possible.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation. Monitor security advisories and threat intelligence.
Refer to the official FeathersJS security advisories and release notes on their website or GitHub repository for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.