CVE-2026-27192 – FeathersJS versions 5.0.39 and below have an or... (How to Fix)

📋 TL;DR

FeathersJS versions 5.0.39 and below have an origin validation vulnerability where the getAllowedOrigin() function uses startsWith() for comparison, allowing attackers to bypass CORS/CSRF protections by registering domains with common prefixes. This affects applications using FeathersJS with configured allowed origins, potentially enabling attackers to exfiltrate OAuth tokens and achieve account takeover.

💻 Affected Systems

Products:

FeathersJS

Versions: 5.0.39 and below

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when origins array is configured in FeathersJS application settings

📦 What is this software?

Feathers by Feathersjs

View all CVEs affecting Feathers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover via OAuth token exfiltration when attacker initiates OAuth flow from malicious domain that bypasses origin validation

🟠

Likely Case

CSRF attacks and unauthorized API access from attacker-controlled domains that share prefixes with allowed origins

🟢

If Mitigated

Limited impact if proper token validation and additional security layers are implemented

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attacker to register domain with prefix matching allowed origin and initiate OAuth flow

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.40

Vendor Advisory: https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x

Restart Required: Yes

Instructions:

1. Update FeathersJS to version 5.0.40 or higher
2. Run: npm update @feathersjs/feathers
3. Restart your application
4. Verify the fix by checking package.json version

🔧 Temporary Workarounds

Strict Origin Validation

all

Implement custom origin validation that performs exact string matching instead of prefix matching

Implement custom middleware to validate origins with exact string comparison

🧯 If You Can't Patch

Implement additional CSRF protection layers and strict token validation
Monitor and restrict domains that could be registered with prefixes matching your allowed origins

🔍 How to Verify

Check if Vulnerable:

Check package.json for @feathersjs/feathers version <=5.0.39 and verify if origins array is configured

Check Version:

npm list @feathersjs/feathers

Verify Fix Applied:

Verify package.json shows @feathersjs/feathers version >=5.0.40 and test origin validation with malicious prefix domains

📡 Detection & Monitoring

Log Indicators:

Requests from domains with suspicious prefixes matching allowed origins
Failed origin validation attempts

Network Indicators:

OAuth flows initiated from unexpected domains
Referer headers with unusual domain structures

SIEM Query:

source="feathersjs" AND (referer CONTAINS ".attacker." OR origin_validation="failed")

📊 Metadata

CVE ID: CVE-2026-27192

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-346

Published: February 21, 2026

Last Updated: February 25, 2026

🔗 References

https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401 Patch
https://github.com/feathersjs/feathers/releases/tag/v5.0.40 Product,Release Notes
https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27192, you might also want to check these: