CVE-2026-27193 Overview
CVE-2026-27193 is an information exposure vulnerability in FeathersJS, a popular framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, the OAuth authentication service stores all HTTP request headers in the session cookie. While the cookie is signed to prevent tampering, it is not encrypted, meaning the contents are readable by anyone who can simply decode the base64 value. This design flaw exposes internal proxy and gateway headers to clients, potentially leaking sensitive infrastructure details.
Critical Impact
Attackers can decode session cookies to expose sensitive internal infrastructure details including API keys, service tokens, and internal IP addresses from reverse proxy or API gateway deployments.
Affected Products
- FeathersJS Feathers versions 5.0.39 and below
- Applications using @feathersjs/authentication-oauth package
- Deployments behind reverse proxies or API gateways that inject sensitive headers
Discovery Timeline
- 2026-02-21 - CVE CVE-2026-27193 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27193
Vulnerability Analysis
This information exposure vulnerability (CWE-200) stems from an insecure design decision in the FeathersJS OAuth authentication flow. When a user initiates OAuth authentication, the framework captures the entire HTTP headers object from the incoming request and persists it within the session data. The session is then serialized using cookie-session, which employs base64 encoding for storage.
The core issue is that while the session cookie is cryptographically signed to detect tampering, the data itself remains unencrypted. Base64 is an encoding scheme, not an encryption mechanism, meaning any party with access to the cookie can trivially decode and read its contents. In production environments where applications sit behind reverse proxies, load balancers, or API gateways, these infrastructure components commonly inject headers containing sensitive information such as X-Api-Key, X-Service-Token, X-Real-IP, X-Forwarded-For, and internal routing metadata.
Root Cause
The root cause lies in the OAuth service implementation within packages/authentication-oauth/src/service.ts. The original code indiscriminately stored the complete headers object in the session:
session.headers = headers
This approach violates the principle of least privilege for data storage—only the referer header was actually needed for origin validation during the OAuth callback flow. By storing all headers, the framework inadvertently created a side-channel for leaking infrastructure secrets.
Attack Vector
The attack requires network access and exploits the base64-encoded session cookie. An attacker can:
- Initiate an OAuth authentication flow against a vulnerable FeathersJS application
- Intercept or obtain the session cookie set by the server
- Decode the base64-encoded cookie value using standard tools
- Extract sensitive header values that were captured during the request
The following patch demonstrates the security fix implemented in version 5.0.40:
session.redirect = redirect
session.query = restQuery
- session.headers = headers
+ // Only store the referer header needed for origin validation
+ session.headers = {
+ referer: headers?.referer
+ }
return this.handler('GET', handlerParams, {})
}
Source: GitHub Commit
Additionally, the patch strengthens origin validation in packages/authentication-oauth/src/strategy.ts to properly parse and compare referer origins:
if (Array.isArray(origins)) {
const referer = params?.headers?.referer || origins[0]
- const allowedOrigin = origins.find((current) => referer.toLowerCase().startsWith(current.toLowerCase()))
+
+ // Parse the referer to get its origin for proper comparison
+ let refererOrigin: string
+ try {
+ refererOrigin = new URL(referer).origin
+ } catch {
+ throw new NotAuthenticated(`Invalid referer "${referer}".`)
+ }
+
+ // Compare full origins
+ const allowedOrigin = origins.find((current) => refererOrigin.toLowerCase() === current.toLowerCase())
if (!allowedOrigin) {
throw new NotAuthenticated(`Referer "${referer}" is not allowed.`)
Source: GitHub Commit
Detection Methods for CVE-2026-27193
Indicators of Compromise
- Unexplained access to internal infrastructure endpoints using leaked API keys or service tokens
- Authentication attempts from unexpected IP addresses using valid session tokens
- Anomalous API gateway or reverse proxy log entries indicating header reconnaissance
- Evidence of base64 decoding tools or scripts targeting session cookies in endpoint logs
Detection Strategies
- Monitor for unusually large session cookies that may indicate header data storage bloat
- Implement logging for OAuth authentication flows to detect reconnaissance activity
- Review application logs for failed authentication attempts that reference internal infrastructure details
- Deploy web application firewalls (WAF) with rules to detect base64-encoded data exfiltration patterns
Monitoring Recommendations
- Enable verbose logging on reverse proxies and API gateways to track header injection
- Implement real-time alerting for access to sensitive internal endpoints from external sources
- Audit session cookie sizes—cookies significantly larger than typical authentication tokens may indicate the vulnerability
- Use SentinelOne Singularity to monitor for suspicious process behavior and network connections indicative of credential harvesting
How to Mitigate CVE-2026-27193
Immediate Actions Required
- Upgrade FeathersJS to version 5.0.40 or later immediately
- Rotate any API keys, service tokens, or credentials that may have been exposed through proxy headers
- Review reverse proxy and API gateway configurations to minimize sensitive header injection
- Invalidate existing session cookies to prevent exploitation of already-issued tokens
Patch Information
The vulnerability has been fixed in FeathersJS version 5.0.40. The patch modifies the OAuth service to store only the referer header required for origin validation, rather than the complete headers object. Additionally, the fix includes improved origin validation logic to prevent related bypass attacks.
Update your project dependencies:
npm update @feathersjs/feathers @feathersjs/authentication-oauth
Or specify the exact version:
npm install @feathersjs/feathers@5.0.40 @feathersjs/authentication-oauth@5.0.40
For detailed information, see the GitHub Security Advisory and Release Notes.
Workarounds
- Configure reverse proxies to strip sensitive internal headers before forwarding requests to the FeathersJS application
- Implement middleware to sanitize the request headers object before OAuth processing
- Use encrypted session storage mechanisms instead of cookie-session if upgrading is not immediately possible
- Deploy network segmentation to limit the impact of exposed internal IP addresses or routing information
# Example nginx configuration to strip sensitive headers
proxy_set_header X-Api-Key "";
proxy_set_header X-Service-Token "";
proxy_set_header X-Internal-Route "";
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
