Skip to content

Instantly share code, notes, and snippets.

@alon710

alon710/CVE-2026-29793.md

Created March 10, 2026 22:40
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save alon710/b3f6f3a2d0a03d351cf9f1e0f3b1967e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save alon710/b3f6f3a2d0a03d351cf9f1e0f3b1967e to your computer and use it in GitHub Desktop.
Download ZIP
CVE-2026-29793: CVE-2026-29793: NoSQL Injection via Missing Type Validation in FeathersJS MongoDB Adapter - CVE Security Report
Raw
CVE-2026-29793.md

CVE-2026-29793: CVE-2026-29793: NoSQL Injection via Missing Type Validation in FeathersJS MongoDB Adapter

CVSS Score: 9.3 Published: 2026-03-10 Full Report: https://cvereports.com/reports/CVE-2026-29793

Summary

The FeathersJS MongoDB adapter (@feathersjs/mongodb) prior to version 5.0.42 contains a critical NoSQL injection vulnerability. The flaw exists due to insufficient type validation of the 'id' parameter when handling requests via WebSocket transports like Socket.IO. Unauthenticated remote attackers can exploit this by passing native JavaScript objects containing MongoDB query operators in place of scalar ID values, allowing them to bypass record-level isolation and perform unauthorized data retrieval, modification, or deletion.

TL;DR

A critical NoSQL injection vulnerability in @feathersjs/mongodb allows remote attackers to bypass database isolation by injecting MongoDB operators through unvalidated WebSocket payloads.

Exploit Status: POC

Technical Details

  • CWE ID: CWE-943
  • Attack Vector: Network (WebSocket / Socket.IO)
  • CVSS v4.0: 9.3 Critical
  • Impact: Unauthorized Data Access, Modification, and Deletion
  • Exploit Status: Proof of Concept Available
  • Affected Component: @feathersjs/mongodb prior to 5.0.42

Affected Systems

  • FeathersJS Framework
  • @feathersjs/mongodb (Feathers MongoDB Adapter)
  • @feathersjs/mongodb: >= 5.0.0, < 5.0.42 (Fixed in: 5.0.42)

Mitigation

  • Upgrade @feathersjs/mongodb to version 5.0.42 or later.
  • Implement a global FeathersJS 'before' hook to enforce strict type validation on the 'id' parameter.
  • Monitor WebSocket (Socket.IO) traffic for JSON payloads containing MongoDB operators (keys starting with '$').
  • Review and enforce strict 'adapter.whitelist' configurations to limit acceptable query operators.

Remediation Steps:

  1. Identify all projects utilizing the @feathersjs/mongodb dependency.
  2. Execute package manager update commands (e.g., 'npm install @feathersjs/mongodb@latest' or 'yarn upgrade @feathersjs/mongodb').
  3. Verify the installed version is >= 5.0.42 by inspecting package-lock.json or yarn.lock.
  4. Restart the application server to apply the updated adapter logic.
  5. If patching is delayed, apply the provided global 'before' hook to all services interacting with MongoDB.

References

Generated by CVEReports - Automated Vulnerability Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment