GHSA-ppf9-4ffw-hh4p

Source

https://github.com/advisories/GHSA-ppf9-4ffw-hh4p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-ppf9-4ffw-hh4p/GHSA-ppf9-4ffw-hh4p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-ppf9-4ffw-hh4p

Aliases

CVE-2026-27191

Published

2026-02-19T20:32:15Z

Modified

2026-02-23T23:43:54.686822Z

Severity

7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Feathers has an open redirect in OAuth callback enables account takeover

Details

Description

The redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them.

The application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter:

// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L158C3-L176C4
const { redirect } = query;
...
session.redirect = redirect;

// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L98
const redirectUrl = `${redirect}${queryRedirect}`;

Where: - redirect = base origin from config (e.g., https://target.com) - queryRedirect = user input from ?redirect= parameter

This is exploitable when the origins array is configured and origin values do not end with /. An attacker can supply @attacker.com as the redirect value results in https://target.com@attacker.com#access_token=..., where the browser interprets attacker.com as the host, leading to full account takeover.

Credits: Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.

Database specific

{
    "cwe_ids": [
        "CWE-601"
    ],
    "nvd_published_at": "2026-02-21T04:15:58Z",
    "severity": "HIGH",
    "github_reviewed_at": "2026-02-19T20:32:15Z",
    "github_reviewed": true
}

References

Affected packages

npm / @feathersjs/authentication-oauth

Package

Name: @feathersjs/authentication-oauth; View open source insights on deps.dev
Purl: pkg:npm/%40feathersjs/authentication-oauth

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.0.40

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-ppf9-4ffw-hh4p/GHSA-ppf9-4ffw-hh4p.json"

last_known_affected_version_range

"<= 5.0.39"