Primary

Context

FeathersJS Socket.IO NoSQL Injection Vulnerability in MongoDB Adapter

Vulnerability

A NoSQL injection vulnerability has been identified in FeathersJS versions 5.0.0 prior to 5.0.42. Socket.IO clients can send arbitrary JavaScript objects as the id argument to service methods such as get, patch, update, and remove. The transport layer does not validate this argument, allowing malicious objects to be injected. When the MongoDB adapter is used, these objects are processed by getObjectId() and directly incorporated into MongoDB queries as operators. For example, sending an object with the $ne operator set to null matches all documents in the collection.

Impact

Exploitation of this vulnerability allows for NoSQL injection, where an attacker can manipulate MongoDB queries to bypass application logic or access unauthorized data.

Remediation

Users can upgrade to FeathersJS version 5.0.42 or later to address this vulnerability.

Added: Mar 10, 2026, 8:57 PM

Updated: Mar 10, 2026, 8:57 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.0

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.0

remediation

0.0

relevance

3.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FeathersJS Socket.IO NoSQL Injection Vulnerability in MongoDB Adapter

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating