1. Home
  2. CVE Database
  3. CVE-2026-29793
CRITICAL · 9.8

CVE-2026-29793

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the i...

Vulnerability Description

Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
FeathersjsFeathers>= 5.0.0, < 5.0.42

Related Weaknesses (CWE)

CWE-943

References

FAQ

What is CVE-2026-29793?

CVE-2026-29793 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the i...

How severe is CVE-2026-29793?

CVE-2026-29793 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-29793?

Check the references section above for vendor advisories and patch information. Affected products include: Feathersjs Feathers.