Search criteria
7 vulnerabilities by feathersjs
CVE-2026-27193 (GCVE-0-2026-27193)
Vulnerability from cvelistv5 – Published: 2026-02-21 04:09 – Updated: 2026-02-21 04:09
VLAI?
Title
Feathers exposes internal headers via unencrypted session cookie
Summary
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. This issue has been fixed in version 5.0.40.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| feathersjs | feathers |
Affected:
< 5.0.40
|
{
"containers": {
"cna": {
"affected": [
{
"product": "feathers",
"vendor": "feathersjs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.40"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. This issue has been fixed in version 5.0.40."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T04:09:06.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/feathersjs/feathers/security/advisories/GHSA-9m9c-vpv5-9g85",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-9m9c-vpv5-9g85"
},
{
"name": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"
},
{
"name": "https://github.com/feathersjs/feathers/releases/tag/v5.0.40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/releases/tag/v5.0.40"
}
],
"source": {
"advisory": "GHSA-9m9c-vpv5-9g85",
"discovery": "UNKNOWN"
},
"title": "Feathers exposes internal headers via unencrypted session cookie"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27193",
"datePublished": "2026-02-21T04:09:06.855Z",
"dateReserved": "2026-02-18T19:47:02.154Z",
"dateUpdated": "2026-02-21T04:09:06.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27192 (GCVE-0-2026-27192)
Vulnerability from cvelistv5 – Published: 2026-02-21 03:50 – Updated: 2026-02-21 03:50
VLAI?
Title
Feathers has an origin validation bypass via prefix matching
Summary
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40.
Severity ?
CWE
- CWE-346 - Origin Validation Error
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| feathersjs | feathers |
Affected:
< 5.0.40
|
{
"containers": {
"cna": {
"affected": [
{
"product": "feathers",
"vendor": "feathersjs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.40"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com). On its own, tokens are still redirected to a configured origin. However, in specific scenarios an attacker can initiate the OAuth flow from an unauthorized origin and exfiltrate tokens, achieving full account takeover. This issue has bee fixed in version 5.0.40."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T03:50:35.954Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x"
},
{
"name": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"
},
{
"name": "https://github.com/feathersjs/feathers/releases/tag/v5.0.40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/releases/tag/v5.0.40"
}
],
"source": {
"advisory": "GHSA-mp4x-c34x-wv3x",
"discovery": "UNKNOWN"
},
"title": "Feathers has an origin validation bypass via prefix matching"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27192",
"datePublished": "2026-02-21T03:50:35.954Z",
"dateReserved": "2026-02-18T19:47:02.154Z",
"dateUpdated": "2026-02-21T03:50:35.954Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27191 (GCVE-0-2026-27191)
Vulnerability from cvelistv5 – Published: 2026-02-21 03:23 – Updated: 2026-02-21 03:23
VLAI?
Title
Feathers: Open Redirect in OAuth callback enables account takeover
Summary
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them. The application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter. This is exploitable when the origins array is configured and origin values do not end with /. An attacker can supply @attacker.com as the redirect value results in https://target.com@attacker.com#access_token=..., where the browser interprets attacker.com as the host, leading to full account takeover. This issue has been fixed in version 5.0.40.
Severity ?
CWE
- CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| feathersjs | feathers |
Affected:
< 5.0.40
|
{
"containers": {
"cna": {
"affected": [
{
"product": "feathers",
"vendor": "feathersjs",
"versions": [
{
"status": "affected",
"version": "\u003c 5.0.40"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim\u0027s access token and can impersonate them. The application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter. This is exploitable when the origins array is configured and origin values do not end with /. An attacker can supply @attacker.com as the redirect value results in https://target.com@attacker.com#access_token=..., where the browser interprets attacker.com as the host, leading to full account takeover. This issue has been fixed in version 5.0.40."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T03:23:28.340Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p"
},
{
"name": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"
},
{
"name": "https://github.com/feathersjs/feathers/releases/tag/v5.0.40",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/releases/tag/v5.0.40"
}
],
"source": {
"advisory": "GHSA-ppf9-4ffw-hh4p",
"discovery": "UNKNOWN"
},
"title": "Feathers: Open Redirect in OAuth callback enables account takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27191",
"datePublished": "2026-02-21T03:23:28.340Z",
"dateReserved": "2026-02-18T19:47:02.154Z",
"dateUpdated": "2026-02-21T03:23:28.340Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-37899 (GCVE-0-2023-37899)
Vulnerability from cvelistv5 – Published: 2023-07-19 19:45 – Updated: 2024-10-28 15:12
VLAI?
Title
feathersjs socket handler allows abusing implicit toString
Summary
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: '' }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit('find', { toString: '' })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability.
Severity ?
7.5 (High)
CWE
- CWE-754 - Improper Check for Unusual or Exceptional Conditions
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| feathersjs | feathers |
Affected:
< 4.5.18
Affected: >= 5.0.0, < 5.0.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T17:23:27.750Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9"
},
{
"name": "https://github.com/feathersjs/feathers/pull/3241",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/feathersjs/feathers/pull/3241"
},
{
"name": "https://github.com/feathersjs/feathers/pull/3242",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/feathersjs/feathers/pull/3242"
},
{
"name": "https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19"
},
{
"name": "https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-37899",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-28T15:11:51.616890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-28T15:12:04.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "feathers",
"vendor": "feathersjs",
"versions": [
{
"status": "affected",
"version": "\u003c 4.5.18"
},
{
"status": "affected",
"version": "\u003e= 5.0.0, \u003c 5.0.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Feathers socket handler did not catch invalid string conversion errors like `const message = ${{ toString: \u0027\u0027 }}` which would cause the NodeJS process to crash when sending an unexpected Socket.io message like `socket.emit(\u0027find\u0027, { toString: \u0027\u0027 })`. A fix has been released in versions 5.0.8 and 4.5.18. Users are advised to upgrade. There is no known workaround for this vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-19T19:45:31.386Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-hhr9-rh25-hvf9"
},
{
"name": "https://github.com/feathersjs/feathers/pull/3241",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/pull/3241"
},
{
"name": "https://github.com/feathersjs/feathers/pull/3242",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/pull/3242"
},
{
"name": "https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19"
},
{
"name": "https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19"
}
],
"source": {
"advisory": "GHSA-hhr9-rh25-hvf9",
"discovery": "UNKNOWN"
},
"title": "feathersjs socket handler allows abusing implicit toString"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-37899",
"datePublished": "2023-07-19T19:45:31.386Z",
"dateReserved": "2023-07-10T17:51:29.610Z",
"dateUpdated": "2024-10-28T15:12:04.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29823 (GCVE-0-2022-29823)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:39
VLAI?
Title
Feathers - Query “__proto__” is converted to real prototype
Summary
Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application.
Severity ?
10 (Critical)
CWE
- CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ("Prototype Pollution")
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Feather js | Feathers-Sequalize |
Affected:
6.x , < 6.3.4
(custom)
|
Credits
Thomas Rinsma (Codean)
Kevin Valk (Codean)
Victor Pasman (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.743Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2022-29823/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Feathers-Sequalize",
"vendor": "Feather js",
"versions": [
{
"lessThan": "6.3.4",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Rinsma (Codean)"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Valk (Codean)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application."
}
],
"value": "Feather-Sequalize cleanQuery method uses insecure recursive logic to filter unsupported keys from the query object. This results in a Remote Code Execution (RCE) with privileges of application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1321",
"description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\"Prototype Pollution\")",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T13:39:49.662Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2022-29823/"
}
],
"source": {
"advisory": "DIVD-2022-00020",
"discovery": "EXTERNAL"
},
"title": "Feathers - Query \u201c__proto__\u201d is converted to real prototype",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2022-29823",
"datePublished": "2022-10-25T00:00:00",
"dateReserved": "2022-04-27T00:00:00",
"dateUpdated": "2025-03-11T13:39:49.662Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-2422 (GCVE-0-2022-2422)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:41
VLAI?
Title
Feathers - SQL injection via attribute aliases
Summary
Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used.
Severity ?
10 (Critical)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Feather js | Feathers-Sequalize |
Affected:
6.x , < 6.3.4
(custom)
|
Credits
Thomas Rinsma (Codean)
Kevin Valk (Codean)
Victor Pasman (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T00:39:07.281Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2022-2422"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Feathers-Sequalize",
"vendor": "Feather js",
"versions": [
{
"lessThan": "6.3.4",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Rinsma (Codean)"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Valk (Codean)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used."
}
],
"value": "Due to improper input validation in the Feathers js library, it is possible to perform a SQL injection attack on the back-end database, in case the feathers-sequelize package is used."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T13:41:09.960Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2022-2422"
}
],
"source": {
"advisory": "DIVD-2022-00020",
"discovery": "EXTERNAL"
},
"title": "Feathers - SQL injection via attribute aliases",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2022-2422",
"datePublished": "2022-10-25T00:00:00",
"dateReserved": "2022-07-15T00:00:00",
"dateUpdated": "2025-03-11T13:41:09.960Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29822 (GCVE-0-2022-29822)
Vulnerability from cvelistv5 – Published: 2022-10-25 00:00 – Updated: 2025-03-11 13:39
VLAI?
Title
Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
Summary
Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection
Severity ?
10 (Critical)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Feather js | Feathers-Sequalize |
Affected:
6.x , < 6.3.4
(custom)
|
Credits
Thomas Rinsma (Codean)
Kevin Valk (Codean)
Victor Pasman (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:33:42.585Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/CVE-2022-29822/"
},
{
"tags": [
"third-party-advisory",
"x_transferred"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Feathers-Sequalize",
"vendor": "Feather js",
"versions": [
{
"lessThan": "6.3.4",
"status": "affected",
"version": "6.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Rinsma (Codean)"
},
{
"lang": "en",
"type": "finder",
"value": "Kevin Valk (Codean)"
},
{
"lang": "en",
"type": "analyst",
"value": "Victor Pasman (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2022-10-24T22:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection"
}
],
"value": "Due to improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-11T13:39:56.587Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2022-29822/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2022-00020"
}
],
"source": {
"advisory": "DIVD-2022-00020",
"discovery": "EXTERNAL"
},
"title": "Feathers - Improper parameter filtering in the Feathers js library, which may ultimately lead to SQL injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2022-29822",
"datePublished": "2022-10-25T00:00:00",
"dateReserved": "2022-04-27T00:00:00",
"dateUpdated": "2025-03-11T13:39:56.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}