Feathersjs is a popular JavaScript/TypeScript framework for building web APIs and real-time applications. In versions prior to 5.0.40, the framework's origin validation mechanism is flawed due to the use of the startsWith() string method to verify the Referer header against a list of allowed origins. This approach only checks if the Referer begins with an allowed origin string, which can be circumvented by an attacker registering a malicious domain that prefixes the allowed origin (e.g., https://target.com.attacker.com). The vulnerable function getAllowedOrigin() thus incorrectly validates such malicious origins as legitimate. While tokens are redirected to configured origins, the attacker can initiate an OAuth flow from the unauthorized origin, intercept tokens, and perform account takeover attacks. This vulnerability is classified under CWE-346 (Origin Validation Error) and has a CVSS 4.0 base score of 7.6 (high severity), reflecting its network attack vector, high impact on confidentiality and integrity, no privileges required, but requiring user interaction and high attack complexity. No known exploits are currently reported in the wild. The issue was addressed in Feathersjs version 5.0.40 by improving the origin validation logic to prevent prefix-based bypasses.

The vulnerability enables attackers to bypass origin validation checks and initiate OAuth flows from unauthorized origins, potentially leading to token exfiltration and full account takeover. This compromises user confidentiality and integrity, allowing unauthorized access to sensitive data and services. Organizations relying on Feathersjs for web APIs or real-time applications that implement OAuth authentication are at risk of unauthorized access, data breaches, and account compromise. The attack requires user interaction but no authentication or privileges, increasing the attack surface. Exploitation could lead to significant reputational damage, regulatory penalties, and operational disruption, especially for services handling sensitive user data or critical business functions.

1. Upgrade all Feathersjs instances to version 5.0.40 or later, where the origin validation flaw is fixed. 2. Review and tighten OAuth origin configurations to explicitly whitelist exact origins rather than relying on prefix matching. 3. Implement additional server-side validation of the Referer and Origin headers using exact string matches or robust parsing methods rather than startsWith(). 4. Employ Content Security Policy (CSP) headers to restrict allowed sources for scripts and frames. 5. Monitor OAuth flows for unusual origin patterns or token requests from unexpected domains. 6. Educate users to be cautious of phishing attempts that may exploit this vulnerability. 7. Conduct security testing and code reviews focusing on origin validation logic in custom authentication flows.