Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
Feathers exposes internal headers via unencrypted cookie
CVE-2026-27193
GHSA-9m9c-vpv5-9g85
Summary
Feathers, an authentication service, stores sensitive internal headers in an unencrypted cookie, potentially exposing internal infrastructure details like API keys and IP addresses. This could happen if you're using Feathers behind a reverse proxy or API gateway. To fix this, consider encrypting the session cookie or using a secure deployment configuration.
What to do
- Update feathersjs authentication-oauth to version 5.0.40.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| feathersjs | authentication-oauth | <= 5.0.39 | 5.0.40 |
| feathersjs | feathers | <= 5.0.40 | – |
Original title
Feathers exposes internal headers via unencrypted session cookie
Original description
All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients.
The OAuth service stores the complete headers object in the session:
```javascript
// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L173
session.headers = headers;
```
The session is persisted using `cookie-session`, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value.
Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses.
**Credits**: Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.
The OAuth service stores the complete headers object in the session:
```javascript
// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L173
session.headers = headers;
```
The session is persisted using `cookie-session`, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value.
Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API keys, service tokens, and internal IP addresses.
**Credits**: Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.
nvd CVSS3.1
5.3
nvd CVSS4.0
8.2
Vulnerability type
CWE-200
Information Exposure
- https://nvd.nist.gov/vuln/detail/CVE-2026-27193
- https://github.com/advisories/GHSA-9m9c-vpv5-9g85
- https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981... Patch
- https://github.com/feathersjs/feathers/releases/tag/v5.0.40 Product Release Notes
- https://github.com/feathersjs/feathers/security/advisories/GHSA-9m9c-vpv5-9g85 Third Party Advisory
Published: 19 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026