Advisories for Npm/@Feathersjs/Authentication-Oauth package

The origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin. The getAllowedOrigin() function checks if the Referer header starts with any allowed origin: // https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/strategy.ts#L75 const allowedOrigin = origins.find((current) => referer.toLowerCase().startsWith(current.toLowerCase())); This comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers …

The redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them. The application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter: // https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L158C3-L176C4 const { redirect } = query; … session.redirect = redirect; // …

All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session: // https://github.com/feathersjs/feathers/blob/dove/packages/authentication-oauth/src/service.ts#L173 session.headers = headers; The session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific …