CVE-2026-29793: Feathers has a NoSQL Injection via WebSocket id Parameter in MongoDB Adapter

March 10, 2026

Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection.

References

github.com/advisories/GHSA-p9xr-7p9p-gpqx
github.com/feathersjs/feathers
github.com/feathersjs/feathers/security/advisories/GHSA-p9xr-7p9p-gpqx
nvd.nist.gov/vuln/detail/CVE-2026-29793

Code Behaviors & Features

Detect and mitigate CVE-2026-29793 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →