Feathersjs OAuth Service Session Cookie Header Exposure Vulnerability

A vulnerability exists in the Feathersjs framework's OAuth service, specifically in versions 5.0.39 and prior. The issue arises because all HTTP request headers are saved in the session cookie, which, while signed, is not encrypted. This flaw exposes internal proxy and gateway headers to clients. Under certain deployment conditions, such as when using reverse proxies or API gateways, sensitive internal infrastructure details like API keys, service tokens, and internal IP addresses could be disclosed. The vulnerability has been addressed in version 5.0.40.

Impact

Exploitation of this vulnerability leads to the unintentional exposure of sensitive internal headers, including API keys, service tokens, and internal IP addresses, through the session cookie.

Reproduction

The vulnerability can be reproduced by sending a request to the OAuth service with internal headers that might be added by proxies, such as 'x-forwarded-for', 'x-internal-api-key', and 'x-real-ip'. This can be done using a tool like Postman or through a script that sends an HTTP request with the desired headers. After the request is processed, the session cookie will contain all the headers that were sent, including the sensitive internal ones.

Remediation

Users can update to Feathersjs version 5.0.40 or later, where this vulnerability has been fixed.