Information disclosure in Feathersjs Feathers

CVE-2026-27193

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing…

Vulnerability class: Information Disclosure

EPSS: 0.000 (2.4th percentile) — read the EPSS interpretation.

Affected products

Feathersjs Feathers — versions < 5.0.40

Weakness classification (CWE)

CWE-200 — Information Disclosure

References

https://github.com/feathersjs/feathers/security/advisories/GHSA-9m9c-vpv5-9g85 (x_refsource_CONFIRM)
https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401 (x_refsource_MISC)
https://github.com/feathersjs/feathers/releases/tag/v5.0.40 (x_refsource_MISC)