Session Cookie Exposure in Feathersjs Framework Versions
CVE-2026-27193
8.2HIGH
What is CVE-2026-27193?
The Feathersjs framework, which facilitates the development of web APIs and real-time applications using TypeScript or JavaScript, contains a significant vulnerability in versions 5.0.39 and earlier. All HTTP request headers are stored in the session cookie, which, while signed, is not encrypted. This allows sensitive internal headers, including API keys and service tokens, to be exposed to clients through base64 decoding of the cookie content. Specifically, in setups involving reverse proxies or API gateways, internal infrastructure details such as internal IP addresses can be leaked. The issue has been addressed in version 5.0.40.
Affected Version(s)
feathers < 5.0.40
