CVE-2026-27193

Name of the Vulnerable Software and Affected Versions Feathersjs versions 5.0.39 and below

Description Feathersjs is a framework used for building web APIs and real-time applications. Versions 5.0.39 and below store all HTTP request headers in a session cookie that is signed but not encrypted. This can expose internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, which is then persisted using cookie-session and base64-encoded. While the cookie is signed, the data is readable by decoding the base64 value. In certain deployment configurations, such as those behind reverse proxies or API gateways, this can lead to the disclosure of sensitive internal infrastructure details like API keys, service tokens, and internal IP addresses. The issue involves the storage of sensitive information in the session cookie, specifically impacting the handling of HTTP request headers and OAuth service data.

Recommendations Update to version 5.0.40 or later.