CVE-2026-27193
Information Disclosure in Feathersjs Session Cookies Exposes Sensitive Headers
Publication date: 2026-02-21
Last updated on: 2026-02-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| feathersjs | feathers | to 5.0.40 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Feathersjs framework versions 5.0.39 and below. It occurs because all HTTP request headers are stored in the session cookie, which is signed but not encrypted. The OAuth service stores the complete headers object in the session, and the session data is persisted using cookie-session middleware that base64-encodes the data. Although the cookie is signed to prevent tampering, anyone can decode the base64 value and read the contents.
As a result, sensitive internal proxy or gateway headers can be exposed to clients, revealing internal infrastructure details such as API keys, service tokens, and internal IP addresses. This issue is especially relevant in deployment setups involving reverse proxies or API gateways. The vulnerability was fixed in version 5.0.40.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive internal infrastructure information to unauthorized clients. Specifically, attackers or unauthorized users can decode the session cookie to access internal proxy or gateway headers, which may include API keys, service tokens, and internal IP addresses.
Such exposure can increase the risk of further attacks, unauthorized access, or misuse of internal services, potentially compromising the security and integrity of your systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the session cookies used by the Feathersjs application, specifically looking for base64-encoded data that contains HTTP request headers.'}, {'type': 'paragraph', 'content': 'Since the session cookie stores all HTTP request headers in a base64-encoded but not encrypted form, decoding the cookie value can reveal sensitive internal headers such as proxy or gateway headers.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can extract the session cookie from your browser or HTTP requests and decode its base64 content to check if it contains HTTP headers.'}, {'type': 'list_item', 'content': 'Use browser developer tools or a proxy tool (e.g., Burp Suite, Fiddler) to capture the session cookie.'}, {'type': 'list_item', 'content': "Extract the cookie value and decode it using a base64 decoder command, for example in Linux/macOS terminal: `echo 'cookie_value' | base64 --decode`."}, {'type': 'list_item', 'content': 'Inspect the decoded output for HTTP headers or sensitive information such as API keys, service tokens, or internal IP addresses.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the affected packages to version 5.0.40 or later, where this vulnerability has been fixed.
Upgrading ensures that the session cookie no longer stores all HTTP request headers in a readable form, preventing exposure of sensitive internal infrastructure details.
Additionally, review your deployment configuration, especially if using reverse proxies or API gateways, to minimize exposure of internal headers.