DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-29793: CVE-2026-29793: NoSQL Injection via Missing Type Validation in FeathersJS MongoDB Adapter

#security #cve #cybersecurity

CVE-2026-29793: NoSQL Injection via Missing Type Validation in FeathersJS MongoDB Adapter

Vulnerability ID: CVE-2026-29793
CVSS Score: 9.3
Published: 2026-03-10

The FeathersJS MongoDB adapter (@feathersjs/mongodb) prior to version 5.0.42 contains a critical NoSQL injection vulnerability. The flaw exists due to insufficient type validation of the 'id' parameter when handling requests via WebSocket transports like Socket.IO. Unauthenticated remote attackers can exploit this by passing native JavaScript objects containing MongoDB query operators in place of scalar ID values, allowing them to bypass record-level isolation and perform unauthorized data retrieval, modification, or deletion.

TL;DR

A critical NoSQL injection vulnerability in @feathersjs/mongodb allows remote attackers to bypass database isolation by injecting MongoDB operators through unvalidated WebSocket payloads.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-943
  • Attack Vector: Network (WebSocket / Socket.IO)
  • CVSS v4.0: 9.3 Critical
  • Impact: Unauthorized Data Access, Modification, and Deletion
  • Exploit Status: Proof of Concept Available
  • Affected Component: @feathersjs/mongodb prior to 5.0.42

Affected Systems

  • FeathersJS Framework
  • @feathersjs/mongodb (Feathers MongoDB Adapter)
  • @feathersjs/mongodb: >= 5.0.0, < 5.0.42 (Fixed in: 5.0.42)

Code Analysis

Commit: 163e664

Introduced strict type checking on the 'id' parameter in packages/mongodb/src/adapter.ts and added regression tests to prevent NoSQL operator injection.

Mitigation Strategies

  • Upgrade @feathersjs/mongodb to version 5.0.42 or later.
  • Implement a global FeathersJS 'before' hook to enforce strict type validation on the 'id' parameter.
  • Monitor WebSocket (Socket.IO) traffic for JSON payloads containing MongoDB operators (keys starting with '$').
  • Review and enforce strict 'adapter.whitelist' configurations to limit acceptable query operators.

Remediation Steps:

  1. Identify all projects utilizing the @feathersjs/mongodb dependency.
  2. Execute package manager update commands (e.g., 'npm install @feathersjs/mongodb@latest' or 'yarn upgrade @feathersjs/mongodb').
  3. Verify the installed version is >= 5.0.42 by inspecting package-lock.json or yarn.lock.
  4. Restart the application server to apply the updated adapter logic.
  5. If patching is delayed, apply the provided global 'before' hook to all services interacting with MongoDB.

References

Read the full report for CVE-2026-29793 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)