Feathersjs Open Redirect Vulnerability in Authentication OAuth Component Allows Account Takeover

A vulnerability in the Feathersjs framework, specifically in the authentication-oauth component, has been identified in versions 5.0.39 and prior. The issue arises because the redirect query parameter is added to the base origin without proper validation. This flaw enables attackers to inject URL authorities, potentially leading to the theft of access tokens. The vulnerability allows for full account takeover, as the attacker can use the stolen access token to impersonate the victim. Exploitation is possible when the origins array is set and the origin values do not end with a slash.

Impact

Exploitation of this vulnerability allows for open redirection via URL authority injection, leading to unauthorized access to user accounts by stealing access tokens.

Reproduction

To reproduce this vulnerability, configure the application to use the OAuth authentication strategy and set the origins array to include the target domain. Then, send a request to the OAuth callback endpoint with a redirect parameter that includes an injected authority, such as '@attacker.com'. The application will concatenate this value into the redirect URL, which the browser will interpret as a valid host, allowing the attacker to capture the access token and take over the user's account.

Remediation

Users can upgrade to Feathersjs version 5.0.40 or later, where this vulnerability has been patched.