Session Cookie Exposure in Feathersjs Framework Versions
CVE-2026-27193

8.2HIGH

Key Information:

Vendor

Feathersjs

Status
Vendor
CVE Published:
21 February 2026

What is CVE-2026-27193?

The Feathersjs framework, which facilitates the development of web APIs and real-time applications using TypeScript or JavaScript, contains a significant vulnerability in versions 5.0.39 and earlier. All HTTP request headers are stored in the session cookie, which, while signed, is not encrypted. This allows sensitive internal headers, including API keys and service tokens, to be exposed to clients through base64 decoding of the cookie content. Specifically, in setups involving reverse proxies or API gateways, internal infrastructure details such as internal IP addresses can be leaked. The issue has been addressed in version 5.0.40.

Affected Version(s)

feathers < 5.0.40

References

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.