Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Feathers MongoDB Adapter Vulnerable to Data Exposure Through WebSocket
CVE-2026-29793
GHSA-p9xr-7p9p-gpqx
GHSA-p9xr-7p9p-gpqx
Summary
Using Feathers with the MongoDB adapter makes your app vulnerable to data exposure. An attacker can send malicious data to your app's WebSocket, potentially accessing all your database records. Update Feathers to the latest version to fix this vulnerability.
What to do
- Update feathersjs mongodb to version 5.0.42.
- Update feathersjs @feathersjs/mongodb to version 5.0.42.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| feathersjs | mongodb | > 5.0.0 , <= 5.0.41 | 5.0.42 |
| feathersjs | @feathersjs/mongodb | > 5.0.0 , <= 5.0.42 | 5.0.42 |
Original title
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
Original description
Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection.
nvd CVSS4.0
9.3
Vulnerability type
CWE-943
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026