Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. This issue has been fixed in version 5.0.40.
Published: 2026-02-21
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

Feathersjs version 5.0.39 and earlier store every HTTP request header in the session cookie. The cookie is signed but not encrypted; base64 decoding exposes the entire headers object, including internal proxy, gateway, and OAuth service headers. The leaked data may contain sensitive API keys, service tokens, or internal IP addresses, thereby compromising confidentiality. This flaw is categorized as a data confidentiality weakness.

Affected Systems

The vulnerability affects the Feathersjs framework, particularly node.js applications using feathers version 5.0.39 or earlier. Deployments that pass through reverse proxies or API gateways may inadvertently expose additional internal details through the unencrypted session data.

Risk and Exploitability

The CVSS score is 8.2, indicating a high severity. The EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting a low current exploitation probability. Based on the description, an attacker who can obtain a client’s session cookie—whether through browser interception, cross‑site request forgery, or other client‑side attacks—is inferred to be able to decode it and read the exposed headers. Based on the description, the lack of encryption and the fact that the cookie is only signed is inferred to make the attack vector straightforward for remote attackers with access to the client or network traffic.

Generated by OpenCVE AI on April 18, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Feathersjs framework to version 5.0.40 or later to eliminate the storage of raw headers in the session cookie.
  • Configure session handling to encrypt cookie payloads or, if encryption is unavailable, remove sensitive headers from the session before persistence.
  • If upgrading immediately is not possible, restrict the visibility of internal headers on the reverse proxy or API gateway, and consider moving session storage to a server‑side store that does not expose header data to clients.

Generated by OpenCVE AI on April 18, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9m9c-vpv5-9g85 Feathers exposes internal headers via unencrypted session cookie
History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:feathersjs:feathers:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Feathersjs
Feathersjs feathers
Vendors & Products Feathersjs
Feathersjs feathers

Sat, 21 Feb 2026 04:30:00 +0000

Type Values Removed Values Added
Description Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses. This issue has been fixed in version 5.0.40.
Title Feathers exposes internal headers via unencrypted session cookie
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Feathersjs Feathers
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:24:17.388Z

Reserved: 2026-02-18T19:47:02.154Z

Link: CVE-2026-27193

cve-icon Vulnrichment

Updated: 2026-02-25T21:24:12.765Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-21T05:17:28.827

Modified: 2026-02-25T15:12:35.030

Link: CVE-2026-27193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:30:44Z

Weaknesses