Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42.
Published: 2026-03-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated data disclosure via NoSQL injection
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when Socket.IO clients send arbitrary JavaScript objects as the id argument to any service method. Because the transport layer does not perform type checking, these objects flow into the MongoDB adapter where getObjectId() inserts them directly into the query as operators. Consequently, an attacker can craft input such as {$ne: null} to match all documents, or other query operators, leading to unauthorized disclosure of all documents in the affected collection. The weakness is a NoSQL injection (CWE-943) that can be leveraged without authentication to read data the attacker is not entitled to access, potentially exposing sensitive information.

Affected Systems

This issue affects applications that use FeathersJS version 5.0.0 through 5.0.41 with the MongoDB adapter in a Node.js environment. The specific package is @feathersjs:mongodb. The attack can occur in any deployment that accepts Socket.IO connections to the Feathers services, including those built with TypeScript or JavaScript. Affected products include any FeathersJS-based API or real-time application relying on the MongoDB adapter during that release window.

Risk and Exploitability

The CVSS score of 9.3 reflects a severe impact. The EPSS score is below 1 %, indicating the current probability of exploitation is very low, and the vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit this remotely by connecting to the service via WebSocket and sending a crafted id object, typically with no authentication required. Once the NoSQL injection is successful, the attacker can read entire collections or retrieve sensitive data, potentially causing a major breach of confidentiality and business impact. The only requirement is remote access to the WebSocket endpoint; no special privileges are needed.

Generated by OpenCVE AI on April 16, 2026 at 03:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FeathersJS to version 5.0.42 or later, which includes the fix that validates the id argument type before passing it to MongoDB.
  • Implement server‑side validation to ensure the id parameter is a string or a valid ObjectId; reject any object types to prevent injection.
  • Restrict access to the Socket.IO service to trusted clients or enforce authentication so that only authorized users can use the id parameter.

Generated by OpenCVE AI on April 16, 2026 at 03:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p9xr-7p9p-gpqx Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
History

Thu, 19 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Feathersjs feathers
CPEs cpe:2.3:a:feathersjs:feathers:*:*:*:*:*:node.js:*:*
Vendors & Products Feathersjs feathers
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Feathersjs
Feathersjs mongodb
Vendors & Products Feathersjs
Feathersjs mongodb

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Description Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42.
Title NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Weaknesses CWE-943
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Feathersjs Feathers Mongodb
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-11T14:09:19.913Z

Reserved: 2026-03-04T16:26:02.900Z

Link: CVE-2026-29793

cve-icon Vulnrichment

Updated: 2026-03-11T14:09:16.546Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:39.437

Modified: 2026-03-19T14:29:03.533

Link: CVE-2026-29793

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses