VYPR

npm package

@feathersjs/authentication-oauth

pkg:npm/%40feathersjs/authentication-oauth

Vulnerabilities (4)

  • CVE-2026-29792Mar 10, 2026
    affected >= 5.0.0, < 5.0.42fixed 5.0.42

    Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The O

  • CVE-2026-27193Feb 21, 2026
    affected < 5.0.40fixed 5.0.40

    Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients

  • CVE-2026-27192Feb 21, 2026
    affected < 5.0.40fixed 5.0.40

    Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix w

  • CVE-2026-27191Feb 21, 2026
    affected < 5.0.40fixed 5.0.40

    Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injectio