GHSA-p9xr-7p9p-gpqx

Source

https://github.com/advisories/GHSA-p9xr-7p9p-gpqx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p9xr-7p9p-gpqx/GHSA-p9xr-7p9p-gpqx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p9xr-7p9p-gpqx

Aliases

CVE-2026-29793

Published

2026-03-10T21:03:40Z

Modified

2026-03-13T04:22:19.452658Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

Details

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection.

Database specific

{
    "github_reviewed_at": "2026-03-10T21:03:40Z",
    "nvd_published_at": "2026-03-10T20:16:39Z",
    "cwe_ids": [
        "CWE-943"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true
}

References

Affected packages

npm / @feathersjs/mongodb

Package

Name: @feathersjs/mongodb; View open source insights on deps.dev
Purl: pkg:npm/%40feathersjs/mongodb

Affected ranges

Type: SEMVER
Events: Introduced

5.0.0

Fixed

5.0.42

Database specific

last_known_affected_version_range

"<= 5.0.41"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p9xr-7p9p-gpqx/GHSA-p9xr-7p9p-gpqx.json"