CVE-2026-29793
Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter
EPSS 0.02%
描述
Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection.
如何修補 CVE-2026-29793
要修補 CVE-2026-29793,請將受影響套件升級到下列已修補版本。
- npm/@feathersjs/mongodb—升級至 5.0.42 或更新版本
CVE-2026-29793 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 5.0.0, < 5.0.42
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |