CVE-2026-29793

Name of the Vulnerable Software and Affected Versions Feathersjs versions 5.0.0 through 5.0.41

Description Feathersjs is a framework used for building web APIs and real-time applications. Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer does not validate the type of this argument. When using the MongoDB adapter, these objects are passed to the getObjectId() function and used directly in MongoDB queries as operators. Sending {$ne: null} as the id can match all documents within a collection.

Recommendations Update to version 5.0.42 or later.