{"id":"GHSA-ppf9-4ffw-hh4p","summary":"Feathers has an open redirect in OAuth callback enables account takeover","details":"### Description\n\nThe `redirect` query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them.\n\nThe application constructs the final redirect URL by concatenating the base origin with the user-supplied `redirect` parameter:\n```javascript\n// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L158C3-L176C4\nconst { redirect } = query;\n...\nsession.redirect = redirect;\n\n// https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L98\nconst redirectUrl = `${redirect}${queryRedirect}`;\n```\n\nWhere:\n- `redirect` = base origin from config (e.g., `https://target.com`)\n- `queryRedirect` = user input from `?redirect=` parameter\n\nThis is exploitable when the `origins` array is configured and origin values do not end with `/`.  An attacker can supply `@attacker.com` as the redirect value results in `https://target.com@attacker.com#access_token=...`, where the browser interprets `attacker.com` as the host, leading to full account takeover.\n\n**Credits**:  Abdelwahed Madani Yousfi (@vvxhid) / Edoardo Geraci (@b0-n0-b0) / Thomas Rinsma (@ThomasRinsma) From Codean Labs.","aliases":["CVE-2026-27191"],"modified":"2026-02-23T23:43:54.686822Z","published":"2026-02-19T20:32:15Z","database_specific":{"nvd_published_at":"2026-02-21T04:15:58Z","github_reviewed_at":"2026-02-19T20:32:15Z","cwe_ids":["CWE-601"],"github_reviewed":true,"severity":"HIGH"},"references":[{"type":"WEB","url":"https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27191"},{"type":"WEB","url":"https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401"},{"type":"PACKAGE","url":"https://github.com/feathersjs/feathers"},{"type":"WEB","url":"https://github.com/feathersjs/feathers/releases/tag/v5.0.40"}],"affected":[{"package":{"name":"@feathersjs/authentication-oauth","ecosystem":"npm","purl":"pkg:npm/%40feathersjs/authentication-oauth"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.0.40"}]}],"database_specific":{"last_known_affected_version_range":"\u003c= 5.0.39","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-ppf9-4ffw-hh4p/GHSA-ppf9-4ffw-hh4p.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"}]}