Feathersjs is a popular JavaScript and TypeScript framework for building web APIs and real-time applications. In versions 5.0.39 and earlier, a critical design flaw exists where all HTTP request headers are stored within the session cookie. While the cookie is cryptographically signed to prevent tampering, it is not encrypted, and the data is base64-encoded, making it trivially decodable by any client possessing the cookie. The OAuth service component specifically stores the entire headers object in the session, which is then persisted using the cookie-session middleware. This results in sensitive internal headers—such as those added by reverse proxies or API gateways, including API keys, service tokens, and internal IP addresses—being exposed to unauthorized actors. Since these headers often contain confidential information used for internal authentication and routing, their exposure can lead to significant security risks. The vulnerability does not require authentication or user interaction to exploit but depends on the deployment environment exposing internal headers to the application layer. The flaw has been addressed in feathersjs version 5.0.40 by removing sensitive headers from the session cookie or encrypting the session data. No known exploits are currently reported in the wild, but the high CVSS score of 8.2 reflects the potential severity of this information disclosure.

The exposure of sensitive internal headers can have severe consequences for organizations using affected versions of feathersjs. Attackers gaining access to API keys, service tokens, or internal IP addresses can leverage this information to bypass security controls, move laterally within internal networks, or launch further targeted attacks such as privilege escalation or data exfiltration. The confidentiality of internal infrastructure is compromised, increasing the risk of unauthorized access to backend services and sensitive data. Since the vulnerability requires no authentication and can be exploited remotely, it broadens the attack surface significantly. Organizations relying on feathersjs for critical web APIs or real-time applications, especially those deployed behind reverse proxies or API gateways, face heightened risk of internal network reconnaissance and subsequent exploitation. This can lead to operational disruption, data breaches, and reputational damage.

To mitigate this vulnerability, organizations should immediately upgrade feathersjs to version 5.0.40 or later, where the issue is fixed. Additionally, review and harden deployment configurations to ensure that internal headers are not unnecessarily forwarded to application layers or included in session data. Implement encryption for session cookies rather than relying solely on signing to prevent unauthorized reading of cookie contents. Audit OAuth and session management implementations to avoid storing sensitive headers or tokens in client-accessible storage. Employ network segmentation and strict access controls to limit exposure of internal IP addresses and service tokens. Monitoring and alerting on unusual access patterns or session anomalies can help detect exploitation attempts. Finally, conduct thorough security testing and code reviews for custom middleware that interacts with headers and sessions to prevent similar issues.