The vulnerability CVE-2026-29793 affects the @feathersjs framework, a popular tool for building web APIs and real-time applications using JavaScript or TypeScript. Specifically, versions from 5.0.0 up to but not including 5.0.42 are vulnerable when the framework is used with the MongoDB adapter. The root cause is that Socket.IO clients can send arbitrary JavaScript objects as the id argument to service methods such as get, patch, update, and remove. The transport layer does not enforce type checking on this id parameter. When the MongoDB adapter processes this id, it passes through a function called getObjectId() which fails to sanitize or validate the input properly. As a result, maliciously crafted objects containing MongoDB query operators (e.g., {$ne: null}) are injected directly into the database query. This allows attackers to manipulate queries to match all documents or perform unauthorized operations on the database. The vulnerability is categorized under CWE-943, indicating improper neutralization of special elements in data query logic. Exploitation requires no authentication or user interaction, making it trivially exploitable remotely. The CVSS 4.0 score is 9.3 (critical), reflecting the high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a severe risk to any organization using affected versions of Feathersjs with MongoDB. The issue was publicly disclosed on March 10, 2026, and fixed in version 5.0.42.

This vulnerability can have devastating consequences for organizations worldwide that use the @feathersjs framework with MongoDB. Attackers can bypass access controls and execute arbitrary queries that affect all documents in a collection, leading to unauthorized data disclosure, modification, or deletion. This compromises data confidentiality, integrity, and availability simultaneously. Because no authentication or user interaction is required, attackers can remotely exploit this flaw at scale, potentially affecting multiple services and applications. The impact is especially severe for organizations relying on Feathersjs for critical APIs or real-time applications handling sensitive or regulated data. Data breaches, service disruptions, and loss of customer trust are likely outcomes. Additionally, attackers could leverage this vulnerability as a foothold for further lateral movement or persistence within affected environments. The lack of known exploits in the wild does not diminish the urgency, as the vulnerability is straightforward to exploit and publicly documented.

To mitigate this vulnerability, organizations should immediately upgrade the @feathersjs framework to version 5.0.42 or later, where the issue is fixed. If upgrading is not immediately feasible, implement strict input validation and sanitization on the id parameter at the application layer to reject any non-string or non-ObjectId inputs, especially those containing MongoDB operators. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious query patterns such as {$ne: null} in requests. Restrict network access to the affected services to trusted clients only and monitor logs for anomalous queries or unexpected mass data access patterns. Conduct thorough code reviews and penetration testing focusing on injection flaws in data query logic. Finally, maintain an inventory of all applications using Feathersjs with MongoDB to ensure no vulnerable instances remain in production or development environments.