CVE-2026-29793
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
EPSS 0.02%
Description
Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection.
How to fix CVE-2026-29793
To remediate CVE-2026-29793, upgrade the affected package to a fixed version below.
- —upgrade to 5.0.42 or later
Is CVE-2026-29793 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.0.0, < 5.0.42
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |