CVE-2026-27191
Open Redirect in Feathersjs Allows Full Account Takeover
Publication date: 2026-02-21
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feathersjs | feathers | to 5.0.40 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27191 is a high-severity open redirect vulnerability in the FeathersJS framework, specifically in the @feathersjs/authentication-oauth package versions 5.0.39 and below.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application appends a user-supplied redirect query parameter directly to a configured base origin URL without proper validation. When the origins array is configured improperlyβespecially if origin values do not end with a trailing slashβthe browser can interpret the attacker-controlled input as a different host.'}, {'type': 'paragraph', 'content': "For example, if an attacker supplies a redirect value like '@attacker.com', the resulting URL might look like 'https://[email protected]#access_token=...', which the browser interprets as a URL to attacker.com. This allows attackers to steal OAuth access tokens during the redirect process."}, {'type': 'paragraph', 'content': "By obtaining the victim's access token, the attacker can impersonate the victim and perform a full account takeover."}, {'type': 'paragraph', 'content': 'This issue was fixed in version 5.0.40 by adding strict validation on the redirect parameter and improving origin validation.'}] [1, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a full account takeover by an attacker.
Because the attacker can steal OAuth access tokens via a crafted redirect URL, they can impersonate the victim user and gain unauthorized access to their account and data.
Such unauthorized access can compromise sensitive information, disrupt services, and lead to further exploitation within the affected application.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for suspicious or malformed redirect URLs in the OAuth authentication flow, particularly those where the redirect query parameter contains '@' characters that cause the browser to interpret the URL authority as an attacker-controlled domain."}, {'type': 'paragraph', 'content': 'You can inspect HTTP requests to the FeathersJS OAuth endpoints and look for redirect parameters that include suspicious URL authority injections such as URLs formatted like https://[email protected].'}, {'type': 'paragraph', 'content': 'Suggested commands to detect such attempts include using network traffic capture tools like tcpdump or Wireshark to filter HTTP requests containing the redirect parameter, for example:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'redirect='"}, {'type': 'list_item', 'content': 'Using curl or wget to test the OAuth redirect endpoint with crafted redirect parameters to see if the application improperly redirects to attacker-controlled URLs.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing application logs for redirect URLs that do not match expected origins or contain suspicious patterns can help identify exploitation attempts.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation is to upgrade the FeathersJS framework and the @feathersjs/authentication-oauth package to version 5.0.40 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, you should:'}, {'type': 'list_item', 'content': "Ensure that the origins array in your OAuth configuration ends with a trailing slash ('/') to prevent improper origin validation."}, {'type': 'list_item', 'content': "Implement strict validation on the redirect query parameter to reject any URLs containing '@', protocol-relative URLs (e.g., starting with '//'), backslashes, or other malformed inputs."}, {'type': 'list_item', 'content': "Restrict the headers stored during OAuth authentication to only those necessary for origin validation, such as the 'referer' header, to avoid leaking sensitive information."}, {'type': 'paragraph', 'content': 'Monitoring and logging redirect URLs and authentication attempts can also help detect and prevent exploitation.'}] [2, 3]