Description
All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients.
Recommendation
Update the @feathersjs/authentication-oauth package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.0.39
- Patched version(s): 5.0.40
References
Related Issues
- Feathers has an origin validation bypass via prefix matching - CVE-2026-27192
- Parse Server exposes auth data via /users/me endpoint - CVE-2026-33627
- Parse Server has a session field immutability bypass via falsy-value guard - CVE-2026-34574
- Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter - CVE-2026-30965
You might also like:
- Tags:
- npm
- @feathersjs/authentication-oauth
Anything's wrong? Let us know Last updated on February 23, 2026