Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant's session/state responses are empty. Since the attacker never initiated an OAuth authorize flow, Grant has no session to work with and produces no response, so the fallback fires. The forged profile then drives entity lookup and JWT minting. The attacker gets a valid access token for an existing user without ever contacting the OAuth provider. This vulnerability is fixed in 5.0.42.
Published: 2026-03-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Access token forgery leading to account takeover
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated attacker can craft a GET request to the /oauth/:provider/callback endpoint with a forged profile in the query string. Because the OAuth service uses a fallback chain that reaches the raw request query when the session information is absent, the forged profile can drive entity lookup and cause the framework to issue a valid JSON Web Token. This results in an attacker obtaining a legitimate access token for an existing user without ever contacting the OAuth provider. The weakness is an Authentication Bypass, described by CWE-287.

Affected Systems

The vulnerability affects Feathersjs authentication-oauth and feathers framework versions from 5.0.0 up to but not including 5.0.42. Users of these packages running a web API or real-time application that exposes the /oauth/:provider/callback route are potentially impacted.

Risk and Exploitability

The CVSS score of 9.3 indicates a critical severity, while the EPSS score of under 1% reflects a very low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the likely attack vector is a remote HTTP request, requiring no prior authentication or interaction with the OAuth provider, and can be triggered simply by visiting the crafted callback URL.

Generated by OpenCVE AI on April 16, 2026 at 09:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Feathersjs to version 5.0.42 or later to apply the vendor-provided fix.
  • If an upgrade is not feasible, modify the application to validate that an OAuth session or state is present before processing /oauth/:provider/callback requests, rejecting any callback without a corresponding initiate flow.
  • Monitor application logs for anomalous /oauth/:provider/callback activity and restrict access to the callback endpoint if possible.

Generated by OpenCVE AI on April 16, 2026 at 09:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wg9x-qfgw-pxhj Feathers has an OAuth Callback Account Takeover issue
History

Thu, 19 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:feathersjs:feathers:*:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Feathersjs
Feathersjs authentication-oauth
Feathersjs feathers
Vendors & Products Feathersjs
Feathersjs authentication-oauth
Feathersjs feathers

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant's session/state responses are empty. Since the attacker never initiated an OAuth authorize flow, Grant has no session to work with and produces no response, so the fallback fires. The forged profile then drives entity lookup and JWT minting. The attacker gets a valid access token for an existing user without ever contacting the OAuth provider. This vulnerability is fixed in 5.0.42.
Title Feathersjs has an OAuth Callback Account Takeover
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Feathersjs Authentication-oauth Feathers
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:10:22.938Z

Reserved: 2026-03-04T16:26:02.900Z

Link: CVE-2026-29792

cve-icon Vulnrichment

Updated: 2026-03-11T14:10:17.344Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:39.283

Modified: 2026-03-19T14:36:32.827

Link: CVE-2026-29792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:45:31Z

Weaknesses