Description
The origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.
Recommendation
Update the @feathersjs/authentication-oauth package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.0.39
- Patched version(s): 5.0.40
References
Related Issues
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- @langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation - CVE-2026-26019
- Parse Server has an auth provider validation bypass on login via partial authData - CVE-2026-33409
- fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names - CVE-2026-25896
- Tags:
- npm
- @feathersjs/authentication-oauth
Anything's wrong? Let us know Last updated on February 23, 2026