Description
An unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service’s authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant’s session/state responses are empty.
Recommendation
Update the @feathersjs/authentication-oauth package to the latest compatible version. Followings are version details:
- Affected version(s): >= 5.0.0, <= 5.0.41
- Patched version(s): 5.0.42
References
Related Issues
- Feathers has an open redirect in OAuth callback enables account takeover - CVE-2026-27191
- Feathers has an origin validation bypass via prefix matching - CVE-2026-27192
- WebdriverIO BrowserStack Service has a Command Injection issue - CVE-2026-25244
- Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover - CVE-2026-46396
You might also like:
- Tags:
- npm
- @feathersjs/authentication-oauth
Anything's wrong? Let us know Last updated on March 10, 2026