Feathersjs is a popular framework for building web APIs and real-time applications using JavaScript or TypeScript. In versions 5.0.39 and earlier, a critical vulnerability (CVE-2026-27193) exists due to the way HTTP request headers are handled within the session management system. Specifically, the OAuth service stores the entire HTTP headers object in the session, which is then persisted using the cookie-session middleware. While the session cookie is signed to prevent tampering, it is not encrypted and is base64-encoded, making it trivially decodable by anyone with access to the cookie. This design flaw leads to exposure of sensitive internal headers, including internal proxy or gateway headers that may contain API keys, service tokens, internal IP addresses, or other confidential infrastructure details. The vulnerability is particularly impactful in deployment scenarios where Feathersjs applications are placed behind reverse proxies or API gateways that add sensitive headers. Attackers can exploit this by simply reading the session cookie from the client side, without requiring authentication or user interaction. The vulnerability has a CVSS 4.0 score of 8.2 (high severity), reflecting the significant confidentiality impact and the complexity of attack due to specific deployment requirements. The issue was addressed and fixed in Feathersjs version 5.0.40 by presumably removing sensitive headers from the session cookie or encrypting the cookie contents.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive internal information such as API keys, service tokens, and internal network details. This exposure can facilitate further attacks, including unauthorized access to backend services, lateral movement within internal networks, and compromise of other connected systems. Organizations using vulnerable Feathersjs versions in environments behind reverse proxies or API gateways are at risk of leaking critical infrastructure details to attackers who can capture or access client-side cookies. This can undermine confidentiality and potentially lead to broader security breaches. The vulnerability does not directly affect integrity or availability but significantly compromises confidentiality, which can cascade into more severe attacks. Since no authentication or user interaction is required, the attack surface is broad, though the complexity is elevated by the need for specific deployment configurations. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the urgency of patching due to the high severity and ease of cookie decoding.

Organizations should immediately upgrade Feathersjs to version 5.0.40 or later, where this vulnerability is fixed. Until upgrading, a practical mitigation is to avoid storing sensitive headers in session cookies or to implement encryption for cookie contents to prevent plaintext exposure. Reviewing and minimizing the headers added by reverse proxies or API gateways can reduce sensitive data exposure. Additionally, configuring cookies with the Secure and HttpOnly flags can help prevent interception and client-side script access, though this does not prevent base64 decoding if the cookie is accessible. Network segmentation and strict access controls on internal services can limit the impact if sensitive information is leaked. Monitoring for unusual access patterns or attempts to read session cookies can provide early detection. Finally, auditing OAuth service configurations and session management practices to ensure no sensitive data is stored client-side is critical.