REPRO-2026-00113 HIGH RCE Verified

Feathers OAuth Authorization Header Leak to Third-Party

@feathersjs/authentication-oauth (npm) Feb 20, 2026

Confidence HIGH

Reproduced in 7m 45s

Tool calls 72

Affected <= 5.0.39

Fixed in 5.0.40

What's the vulnerability?

All HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients.

One Command

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00113

or pruva-verify GHSA-9m9c-vpv5-9g85

or pruva-verify CVE-2026-27192

Install: curl -fsSL https://pruva.dev/install.sh | sh

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00113/artifacts/repro/reproduction_steps.sh

chmod +x reproduction_steps.sh

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

Watch the AI agent's step-by-step process.

Loading session...