CVE-2026-27191 is an open redirect vulnerability classified under CWE-601 affecting the feathersjs framework, a popular tool for building web APIs and real-time applications using JavaScript or TypeScript. In versions 5.0.39 and earlier, the application constructs redirect URLs by concatenating a base origin with a user-supplied redirect query parameter without proper validation. When the origins array is configured improperly—specifically when origin values do not end with a trailing slash—an attacker can exploit this by injecting an '@' character followed by an attacker-controlled domain in the redirect parameter. For example, supplying a redirect value like '@attacker.com' results in a URL such as https://target.com@attacker.com#access_token=..., which browsers interpret as pointing to attacker.com rather than target.com. This URL authority injection allows attackers to steal access tokens embedded in the URL fragment, enabling them to impersonate victims and achieve full account takeover. The vulnerability requires user interaction (clicking a crafted link) but no prior authentication or privileges. It has been assigned a CVSS 4.0 score of 7.4 (high severity), reflecting the significant impact on confidentiality and integrity, with moderate attack complexity and user interaction required. The issue was addressed and fixed in feathersjs version 5.0.40 by properly validating and sanitizing redirect parameters to prevent URL authority injection.

The primary impact of this vulnerability is the potential for full account takeover of users interacting with applications built on vulnerable versions of feathersjs. Attackers can steal access tokens by tricking users into clicking maliciously crafted URLs that exploit the open redirect flaw. This compromises user confidentiality and integrity, allowing attackers to impersonate victims, access sensitive data, and perform unauthorized actions within the affected application. The availability of the application is not directly impacted. Given feathersjs's role in building APIs and real-time apps, exploitation could lead to widespread unauthorized access, data breaches, and loss of user trust. Organizations relying on vulnerable versions risk significant reputational damage, regulatory penalties, and operational disruption. The attack requires user interaction but no authentication, increasing the attack surface especially in phishing or social engineering scenarios.

1. Upgrade all instances of feathersjs to version 5.0.40 or later, where this vulnerability is fixed. 2. Review and sanitize all redirect parameters rigorously, ensuring they do not contain '@' characters or other URL authority injection vectors. 3. Configure the origins array properly, always including trailing slashes to prevent ambiguous URL parsing. 4. Implement strict allowlists for redirect URLs, permitting only trusted domains and paths. 5. Employ Content Security Policy (CSP) headers to restrict where scripts and resources can be loaded from, mitigating token theft via malicious redirects. 6. Educate users about phishing risks and suspicious URLs to reduce the likelihood of successful social engineering. 7. Monitor logs for unusual redirect patterns or access token exposures. 8. Consider implementing short-lived tokens and token revocation mechanisms to limit the window of exploitation if tokens are stolen.