GHSA-PPF9-4FFW-HH4P

Vulnerability from github – Published: 2026-02-19 20:32 – Updated: 2026-02-19 20:32
VLAI?
Summary
Feathers has an open redirect in OAuth callback enables account takeover
Details

Description

The redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them.

The application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter:

// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L158C3-L176C4
const { redirect } = query;
...
session.redirect = redirect;

// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L98
const redirectUrl = `${redirect}${queryRedirect}`;

Where: - redirect = base origin from config (e.g., https://target.com) - queryRedirect = user input from ?redirect= parameter

This is exploitable when the origins array is configured and origin values do not end with /. An attacker can supply @attacker.com as the redirect value results in https://target.com@attacker.com#access_token=..., where the browser interprets attacker.com as the host, leading to full account takeover.

Credits: Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.

Severity ?
7.4 (High)
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.39"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@feathersjs/authentication-oauth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27191"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-19T20:32:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Description\n\nThe `redirect` query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim\u0027s access token and can impersonate them.\n\nThe application constructs the final redirect URL by concatenating the base origin with the user-supplied `redirect` parameter:\n```javascript\n// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L158C3-L176C4\nconst { redirect } = query;\n...\nsession.redirect = redirect;\n\n// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L98\nconst redirectUrl = `${redirect}${queryRedirect}`;\n```\n\nWhere:\n- `redirect` = base origin from config (e.g., `https://target.com`)\n- `queryRedirect` = user input from `?redirect=` parameter\n\nThis is exploitable when the `origins` array is configured and origin values do not end with `/`.  An attacker can supply `@attacker.com` as the redirect value results in `https://target.com@attacker.com#access_token=...`, where the browser interprets `attacker.com` as the host, leading to full account takeover.\n\n**Credits**:  Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.",
  "id": "GHSA-ppf9-4ffw-hh4p",
  "modified": "2026-02-19T20:32:15Z",
  "published": "2026-02-19T20:32:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/feathersjs/feathers"
    },
    {
      "type": "WEB",
      "url": "https://github.com/feathersjs/feathers/releases/tag/v5.0.40"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Feathers has an open redirect in OAuth callback enables account takeover"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.