Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
- Severity:
- High
Description
Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators.
Recommendation
Update the @feathersjs/mongodb package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0, <= 5.0.41
- Patched version(s): 5.0.42
References
Related Issues
- Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path - CVE-2026-26280
- Parse Server has a NoSQL injection via token type in password reset and email verification endpoints - CVE-2026-30941
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- Feathers has an origin validation bypass via prefix matching - CVE-2026-27192
- Tags:
- npm
- @feathersjs/mongodb
Anything's wrong? Let us know Last updated on March 10, 2026