--- Checking main vulnerability in v5.0.39 --- ✅ VULNERABLE: Main vulnerability confirmed in v5.0.39 Location: 173: session.headers = headers --- Checking fix in v5.0.40 --- ✅ FIXED: Only referer header stored in v5.0.40 Code: referer: headers?.referer --- VARIANT 1: Other places where headers might be stored --- Searching for session.*headers patterns in authentication-oauth... /root/.pruva/runs/ghsa-9m9c-vpv5-9g85_20260220-150226/feathers/packages/authentication-oauth/src/service.ts:159: const { session, query, headers } = params /root/.pruva/runs/ghsa-9m9c-vpv5-9g85_20260220-150226/feathers/packages/authentication-oauth/src/service.ts:173: session.headers = headers Checking Grant library session handling... 8:var defaults = (config) => ({method, params, query, body, state, session}) => { 14: session = dcopy(params.override === 'callback' ? (session || {}) : {}) 17: session.provider = params.provider 20: session.override = params.override 23: session.dynamic = query 26: session.dynamic = body 30: var provider = _config.provider(config, session, state) 31: return {provider, input: {method, params, query, body, state, session}} 34:var connect = ({request}) => ({provider, input, input:{session}, output}) => 38: ({provider, input, input:{session}, output}) => ( 39: session.request = output, 46: session.state = provider.state, 47: session.nonce = provider.nonce, 48: session.code_verifier = provider.code_verifier, 65: output = {error: 'Grant: missing session or misconfigured provider'}, --- VARIANT 2: Query parameter storage in session --- Query storage: 172: session.query = restQuery Fixed version query storage: 172: session.query = restQuery --- VARIANT 3: Grant library OAuth token storage --- Grant storage in vulnerable version: 87: session: session.grant, 93: session.grant = result.session Grant storage in fixed version: 87: session: session.grant, 93: session.grant = result.session --- BYPASS ATTEMPT: Alternative header storage paths --- Checking all methods in OAuthService... 37:export const redirectHook = () => async (context: HookContext, next: NextFunction) => { 76: async handler(method: string, params: OAuthParams, body?: any, override?: string): Promise { 99: async authenticate(params: OAuthParams, result: GrantResponse) { 158: async find(params: OAuthParams) { 178: async get(override: string, params: OAuthParams) { 184: async create(data: any, params: OAuthParams) { 192: async find(params: OAuthParams) { 198: async create(data: any, params: OAuthParams) { Checking authenticate method for header exposure... async authenticate(params: OAuthParams, result: GrantResponse) { const name = params.route.provider const { linkStrategy, authService } = this.settings const { accessToken, grant, headers, query = {}, redirect } = params.session const strategy = this.service.getStrategy(name) as OAuthStrategy const authParams = { ...params, headers, authStrategies: [name], authentication: accessToken ? { strategy: linkStrategy, accessToken } : null, query, redirect } const payload = grant?.response || result?.session?.response || result?.state?.response || params.query const authentication = { === VARIANT ANALYSIS SUMMARY === Total session storage paths in fixed version: 10 Checking if any alternative paths can expose sensitive data... Header usage in fixed service.ts: 102: const { accessToken, grant, headers, query = {}, redirect } = params.session 106: headers, 159: const { session, query, headers } = params 174: session.headers = { 175: referer: headers?.referer === CONCLUSION === ✅ The fix correctly addresses the reported vulnerability: - Only 'referer' header is stored in session.headers - Other headers are not stored ⚠️ OTHER SESSION STORAGE FOUND (not bypasses): The following session data is still stored: session: session.grant, session.grant = result.session if (typeof params.session.destroy === 'function') { await params.session.destroy() if (typeof params.session.destroy === 'function') { await params.session.destroy() session.accessToken = feathers_token session.redirect = redirect session.query = restQuery Note: These are not bypasses of the header exposure vulnerability, but alternative data paths that are also stored in the session cookie. ❌ NO BYPASS FOUND: The fix prevents header exposure as intended. Exit code: 1 (no bypass found - this is expected)