Home

Description

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42.

PUBLISHED Reserved 2026-03-04 | Published 2026-03-10 | Updated 2026-03-11 | Assigner GitHub_M




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-943: Improper Neutralization of Special Elements in Data Query Logic

Product status

>= 5.0.0, < 5.0.42
affected

References

github.com/...athers/security/advisories/GHSA-p9xr-7p9p-gpqx

cve.org (CVE-2026-29793)

nvd.nist.gov (CVE-2026-29793)

Download JSON