CVE-2026-29793
Published: 10 March 2026
Summary
CVE-2026-29793 is a critical-severity Improper Neutralization of Special Elements in Data Query Logic (CWE-943) vulnerability in Feathersjs Feathers. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of type checking on the Socket.IO 'id' argument by requiring validation mechanisms to reject arbitrary JavaScript objects before they reach MongoDB queries.
Remediates the specific flaw in FeathersJS versions 5.0.0 to 5.0.41 by identifying, patching to 5.0.42 or later, and testing the update.
Enforces restrictions on the 'id' input to limit it to valid identifiers like strings or ObjectIds, rejecting invalid inputs such as MongoDB query operators.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing FeathersJS API vuln directly enables remote exploitation (T1190) with NoSQL operator injection into MongoDB, facilitating unauthorized DB data access (T1213.006), stored data manipulation (T1565.001), and data destruction (T1485).
NVD Description
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The…
more
transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42.
Deeper analysisAI
CVE-2026-29793 is a high-severity vulnerability (CVSS 9.8) in the FeathersJS framework, which is used for building web APIs and real-time applications with TypeScript or JavaScript. Affecting versions from 5.0.0 up to but not including 5.0.42, the issue arises when Socket.IO clients send arbitrary JavaScript objects as the "id" argument to service methods such as get, patch, update, or remove. The transport layer lacks type checking on this argument, allowing these objects to pass through unimpeded.
In an attack scenario, unauthenticated remote attackers can exploit this over the network with low complexity and no user interaction required. When the application uses the MongoDB adapter, the malicious "id" objects bypass getObjectId() and are injected directly into MongoDB queries as operators. For example, sending {"$ne": null} as the id matches every document in the collection, enabling attackers to read, modify, or delete all data depending on the service method invoked, resulting in high confidentiality, integrity, and availability impacts (C:H/I:H/A:H).
The FeathersJS security advisory at https://github.com/feathersjs/feathers/security/advisories/GHSA-p9xr-7p9p-gpqx details the fix in version 5.0.42, which introduces proper validation to prevent arbitrary objects from reaching the database query layer. Security practitioners should upgrade to 5.0.42 or later and review applications using Socket.IO with MongoDB adapters for exposure.
Details
- CWE(s)