CVE-2026-27191 Overview
CVE-2026-27191 is an Open Redirect vulnerability in FeathersJS, a popular framework for creating web APIs and real-time applications with TypeScript or JavaScript. The vulnerability exists in the OAuth authentication module where the redirect query parameter is appended to the base origin without proper validation. This allows attackers to steal access tokens via URL authority injection, leading to full account takeover.
Critical Impact
Attackers can exploit this vulnerability to steal OAuth access tokens by injecting malicious redirect URLs, enabling complete account impersonation and takeover of victim accounts.
Affected Products
- FeathersJS Feathers versions 5.0.39 and below
- Applications using @feathersjs/authentication-oauth package
- Node.js applications with OAuth authentication configured with origins array
Discovery Timeline
- 2026-02-21 - CVE CVE-2026-27191 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27191
Vulnerability Analysis
The vulnerability stems from improper validation in the OAuth redirect flow within FeathersJS. When the origins array is configured and origin values do not end with a trailing slash (/), the application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter without proper sanitization. This architectural flaw allows attackers to manipulate URL authority interpretation by the browser.
The attack exploits URL parsing behavior where @ characters can be used to specify credentials in a URL. When an attacker supplies @attacker.com as the redirect value, the resulting URL becomes https://target.com@attacker.com#access_token=.... In this case, the browser interprets attacker.com as the actual host, with target.com being treated as the username portion of the URL authority.
Root Cause
The root cause is insufficient validation of the redirect parameter combined with improper origin comparison. The original code used a prefix-based comparison (startsWith) for referer validation rather than proper URL origin parsing. This allowed attackers to bypass origin restrictions because the comparison didn't account for URL authority injection techniques. The referer header was also not properly parsed to extract its actual origin before comparison.
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts a malicious OAuth authentication link containing a specially crafted redirect parameter such as @attacker.com. When a victim clicks the link and completes OAuth authentication, the access token is appended to the redirect URL. Due to the URL authority injection, the browser sends the request (including the access token in the URL fragment) to attacker.com instead of the legitimate target domain.
The following code shows the security patch that addresses the vulnerability by implementing proper URL origin parsing:
if (Array.isArray(origins)) {
const referer = params?.headers?.referer || origins[0]
// Parse the referer to get its origin for proper comparison
let refererOrigin: string
try {
refererOrigin = new URL(referer).origin
} catch {
throw new NotAuthenticated(`Invalid referer "${referer}".`)
}
// Compare full origins
const allowedOrigin = origins.find((current) => refererOrigin.toLowerCase() === current.toLowerCase())
if (!allowedOrigin) {
throw new NotAuthenticated(`Referer "${referer}" is not allowed.`)
Source: GitHub Commit ee19a0ae9bc2ebf23b1fe598a1f7361981b65401
The fix properly parses the referer URL using the URL constructor and compares the full origin instead of using a prefix-based match.
Detection Methods for CVE-2026-27191
Indicators of Compromise
- OAuth redirect URLs containing @ characters followed by external domains
- Unusual access patterns from OAuth callback endpoints with malformed redirect parameters
- Access token leakage in server logs showing redirects to unexpected domains
- Authentication flows redirecting to domains not in the configured origins list
Detection Strategies
- Monitor OAuth authentication endpoints for redirect parameters containing URL authority injection patterns (e.g., @ followed by domain names)
- Implement web application firewall rules to detect and block requests with suspicious redirect parameter values
- Review application logs for failed authentication attempts with "Invalid referer" errors after patching
- Set up alerts for OAuth token issuance events followed by redirects to non-whitelisted domains
Monitoring Recommendations
- Enable verbose logging on OAuth authentication flows to capture full redirect URLs
- Monitor for unusual spikes in OAuth authentication requests from single IP addresses
- Track referrer headers in authentication requests for anomalies or patterns indicative of attack attempts
- Implement real-time alerting for OAuth callback requests containing potential injection payloads
How to Mitigate CVE-2026-27191
Immediate Actions Required
- Upgrade FeathersJS to version 5.0.40 or later immediately
- Review OAuth configuration to ensure all values in the origins array include trailing slashes
- Audit application logs for evidence of exploitation attempts prior to patching
- Invalidate and rotate all OAuth access tokens issued prior to patching if compromise is suspected
Patch Information
The vulnerability has been fixed in FeathersJS version 5.0.40. The patch implements proper URL origin parsing using the URL constructor and changes the origin comparison from prefix-based matching to exact origin matching. Additionally, the patch limits stored session headers to only the referer header needed for origin validation.
For detailed patch information, see the GitHub Security Advisory GHSA-ppf9-4ffw-hh4p and the Release Notes for v5.0.40.
Workarounds
- Ensure all origins in the OAuth configuration array end with a trailing slash (/) to prevent authority injection
- Implement additional server-side validation of redirect parameters before processing OAuth callbacks
- Use a reverse proxy or WAF to filter requests containing suspicious redirect parameter patterns
- Consider temporarily disabling OAuth authentication if immediate patching is not possible
# Update FeathersJS to patched version
npm update @feathersjs/feathers@5.0.40
npm update @feathersjs/authentication-oauth@5.0.40
# Verify installed version
npm list @feathersjs/feathers
npm list @feathersjs/authentication-oauth
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
