CVE-2026-29793
Received Received - Intake
NoSQL Injection in Feathersjs MongoDB Adapter via Socket.IO

Publication date: 2026-03-10

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-19
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29793
EUVD
EUVD-2026-10827
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
feathersjs feathers From 5.0.0 (inc) to 5.0.42 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Feathersjs versions from 5.0.0 to before 5.0.42. Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method such as get, patch, update, or remove. The transport layer does not perform any type checking on this id argument.

When the service uses the MongoDB adapter, these arbitrary objects are processed by the getObjectId() function and are directly included in the MongoDB query as operators. For example, sending {$ne: null} as the id causes the query to match every document in the collection.

This allows an attacker to manipulate queries in unintended ways, potentially accessing or modifying data they should not be able to. The vulnerability was fixed in version 5.0.42.


How can this vulnerability impact me? :

This vulnerability can have severe impacts because it allows attackers to send specially crafted id arguments that bypass type checking and manipulate MongoDB queries.

  • Attackers can retrieve all documents in a collection by sending queries like {$ne: null} as the id.
  • Attackers may be able to update, patch, or remove data they should not have access to.
  • This can lead to unauthorized data access, data corruption, or data loss.

Overall, this vulnerability can compromise the confidentiality, integrity, and availability of data managed by the affected Feathersjs service.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Feathersjs to version 5.0.42 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart