CVE-2026-29793 Overview
CVE-2026-29793 is a critical NoSQL Injection vulnerability affecting FeathersJS, a popular framework for creating web APIs and real-time applications with TypeScript or JavaScript. The vulnerability allows Socket.IO clients to send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument, and when the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators.
Critical Impact
Attackers can bypass authentication and authorization controls by injecting MongoDB operators like {$ne: null} as the id parameter, potentially matching and manipulating every document in a collection.
Affected Products
- FeathersJS versions 5.0.0 to before 5.0.42
- Applications using FeathersJS with MongoDB adapter
- Services exposed via Socket.IO transport
Discovery Timeline
- 2026-03-10 - CVE CVE-2026-29793 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29793
Vulnerability Analysis
This vulnerability is classified under CWE-943 (Improper Neutralization of Special Elements in Data Query Logic). The root issue lies in how FeathersJS handles untrusted input from Socket.IO clients before passing it to the MongoDB adapter.
When a Socket.IO client invokes service methods like get(), patch(), update(), or remove(), the id parameter is expected to be a simple identifier (string or ObjectId). However, the transport layer does not validate the type of this argument. This allows attackers to supply complex JavaScript objects containing MongoDB query operators instead of simple identifiers.
The vulnerable code path processes the attacker-controlled object through getObjectId(), which does not sanitize MongoDB operators. This results in the malicious object being embedded directly into the MongoDB query, enabling NoSQL injection attacks.
Root Cause
The vulnerability stems from missing input validation and type checking in the Socket.IO transport layer of FeathersJS. The framework trusts client-supplied data without verifying that the id parameter is a primitive value (string or number) rather than a complex object. This allows MongoDB query operators to be injected directly into database queries.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can connect to the Socket.IO endpoint and send crafted messages with malicious id parameters to any exposed service method.
For example, sending {$ne: null} as the id parameter to a get() or remove() method would match every document in the collection where the _id field is not null—effectively targeting all documents. This can lead to:
- Mass data exfiltration: Retrieving all documents from a collection
- Mass data destruction: Deleting all documents in a collection
- Data manipulation: Updating arbitrary records with attacker-controlled values
The attack exploits MongoDB's query operator syntax, where special keys prefixed with $ are interpreted as operators rather than literal field values. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-29793
Indicators of Compromise
- Socket.IO messages containing MongoDB operators ($ne, $gt, $lt, $regex, $where, etc.) in service method parameters
- Unexpected bulk operations in MongoDB logs affecting large numbers of documents
- Service method calls with object-type id parameters instead of string or ObjectId values
- Abnormal patterns of get, patch, update, or remove operations across collections
Detection Strategies
- Implement application-layer logging to capture and analyze Socket.IO message payloads
- Monitor MongoDB query logs for queries containing operator objects in the _id field
- Deploy Web Application Firewall (WAF) rules to detect JSON payloads with MongoDB operator patterns
- Use runtime application self-protection (RASP) solutions to detect and block NoSQL injection attempts
Monitoring Recommendations
- Enable detailed logging for all FeathersJS service method invocations
- Set up alerts for MongoDB queries that match unusually large numbers of documents
- Monitor for Socket.IO connections exhibiting suspicious patterns such as rapid service method calls
- Implement anomaly detection for database operations that deviate from normal application behavior
How to Mitigate CVE-2026-29793
Immediate Actions Required
- Upgrade FeathersJS to version 5.0.42 or later immediately
- Review application logs for evidence of exploitation attempts
- Audit all services using the MongoDB adapter for potential data breaches
- Implement input validation hooks to sanitize id parameters at the application level
Patch Information
The vulnerability is fixed in FeathersJS version 5.0.42. The fix implements proper type checking on the id argument in the transport layer to ensure only primitive values (strings, numbers, or valid ObjectId instances) are accepted. For more information, see the GitHub Security Advisory.
Workarounds
- Add a custom hook to validate that id parameters are primitive values before processing
- Implement application-level input sanitization to reject object-type id parameters
- Consider temporarily disabling Socket.IO transport if not required for application functionality
- Use a reverse proxy or WAF to filter requests containing MongoDB operator patterns
# Update FeathersJS to patched version
npm update @feathersjs/feathers@5.0.42
# Or update all FeathersJS packages
npm update @feathersjs/socketio @feathersjs/mongodb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
