Search for packages
| purl | pkg:npm/parse-server@4.10.4 |
| Next non-vulnerable version | 8.6.76 |
| Latest non-vulnerable version | 9.9.1-alpha.2 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1j65-rdzh-6bc3
Aliases: CVE-2026-31871 GHSA-gqpp-xgvh-9h7h |
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. |
Affected by 42 other vulnerabilities. Affected by 42 other vulnerabilities. |
|
VCID-2h23-n9we-rbdj
Aliases: CVE-2023-41058 GHSA-fcv6-fg5r-jm9q |
Always-Incorrect Control Flow Implementation Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers. |
Affected by 78 other vulnerabilities. Affected by 77 other vulnerabilities. Affected by 78 other vulnerabilities. Affected by 78 other vulnerabilities. |
|
VCID-3aau-zxk4-muaq
Aliases: CVE-2022-31112 GHSA-crrq-vr9j-fxxh |
Protected fields exposed via LiveQuery ### Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. ### Patches The LiveQueryController now removes protected fields from the client response. ### Workarounds Use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh - https://github.com/parse-community/parse-server ### For more information If you have any questions or comments about this advisory: - For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org/) or [community chat](http://chat.parseplatform.org/) - Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org/) |
Affected by 88 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 88 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-3pbu-nwcc-hydn
Aliases: CVE-2026-31868 GHSA-v5hf-f4c3-m5rv |
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types An attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server `fileUpload.fileExtensions` option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include `.svgz`, `.xht`, `.xml`, `.xsl`, `.xslt`, and content types `application/xhtml+xml` and `application/xslt+xml` for extensionless uploads. Uploading of `.html`, `.htm`, `.shtml`, `.xhtml`, and `.svg` files was already blocked. |
Affected by 43 other vulnerabilities. Affected by 43 other vulnerabilities. |
|
VCID-4geq-pnnp-3fd8
Aliases: CVE-2026-30925 GHSA-mf3j-86qx-cq5j |
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery A malicious client can subscribe to a LiveQuery with a crafted `$regex` pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. |
Affected by 60 other vulnerabilities. Affected by 60 other vulnerabilities. |
|
VCID-51jb-xry5-5qc2
Aliases: CVE-2026-31872 GHSA-r2m8-pxm9-9c4g |
Parse Server has a protected fields bypass via dot-notation in query and sort The `protectedFields` class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. |
Affected by 41 other vulnerabilities. Affected by 41 other vulnerabilities. |
|
VCID-5cyt-1hbn-pkgb
Aliases: CVE-2025-64430 GHSA-x4qj-2f4q-r4rx |
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format A Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a `Parse.File` with `uri` parameter allows to execute an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to the provided URI is executed, but the response is not stored in Parse Server's file storage as the server crashes upon receiving the response. |
Affected by 71 other vulnerabilities. Affected by 71 other vulnerabilities. Affected by 72 other vulnerabilities. |
|
VCID-5j87-2q5c-cqdf
Aliases: CVE-2026-34373 GHSA-q3p6-g7c4-829c |
GraphQL API endpoint ignores CORS origin restriction ### Impact The GraphQL API endpoint does not respect the `allowOrigin` server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured `allowOrigin` restriction. ### Patches The GraphQL API endpoint now uses the same CORS middleware as the REST API, ensuring the `allowOrigin` and `allowHeaders` server options are consistently enforced across all endpoints. ### Workarounds There is no known workaround other than upgrading. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3p6-g7c4-829c - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10334 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10335 |
Affected by 9 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-5jge-ymnm-dkgy
Aliases: CVE-2022-31083 GHSA-rh9j-f5f8-rvgc |
Authentication bypass vulnerability in Apple Game Center auth adapter ### Impact The certificate in Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. ### Patches To prevent this, a new `rootCertificateUrl` property is introduced to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the [current root certificate](https://developer.apple.com/news/?id=stttq465) as of May 27, 2022. Keep in mind that the root certificate can change at any time (expected to be announced by Apple) and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter. ### Workarounds None. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-rh9j-f5f8-rvgc - https://developer.apple.com/news/?id=stttq465 - https://github.com/parse-community/parse-server ### More information * For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org) or [community chat](http://chat.parseplatform.org) * Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org) |
Affected by 90 other vulnerabilities. Affected by 81 other vulnerabilities. Affected by 90 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-5tkj-suz2-hyf2
Aliases: CVE-2026-33042 GHSA-wjqw-r9x4-j59v |
Parse Server affected by empty authData bypassing credential requirement on signup ### Impact A user can sign up without providing credentials by sending an empty `authData` object, bypassing the username and password requirement. This allows the creation of authenticated sessions without proper credentials, even when anonymous users are disabled. ### Patches The fix ensures that empty or non-actionable `authData` is treated the same as absent `authData` for the purpose of credential validation on new user creation. Username and password are now required when no valid auth provider data is present. ### Workarounds Use a Cloud Code `beforeSave` trigger on the `_User` class to reject signups where `authData` is empty and no username/password is provided. |
Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-5tn5-f5x6-afbh
Aliases: CVE-2026-32098 GHSA-j7mm-f4rv-6q6q |
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. |
Affected by 38 other vulnerabilities. Affected by 38 other vulnerabilities. |
|
VCID-5web-hc9c-kbhe
Aliases: CVE-2025-68115 GHSA-jhgf-2h8h-ggxv |
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables A Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. |
Affected by 70 other vulnerabilities. Affected by 70 other vulnerabilities. |
|
VCID-67gc-6w6e-rkcg
Aliases: CVE-2026-30848 GHSA-hm3f-q6rw-m6wh |
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory The `PagesRouter` static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured `pagesPath` directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. `pages-secret` starts with `pages`). This affects any Parse Server deployment with the `pages` feature enabled (`pages.enableRouter: true`). Exploitation requires a sibling directory of `pagesPath` whose name begins with the same string as the pages directory name. |
Affected by 63 other vulnerabilities. Affected by 64 other vulnerabilities. |
|
VCID-6bmy-ymay-zfdm
Aliases: CVE-2026-32878 GHSA-9ccr-fpp6-78qf |
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy ### Impact An attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. ### Patches The vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword. ### Workarounds None. ### Vulnerability Independence This vulnerability is not caused by or dependent on a vulnerability in a third-party dependency. The third-party `deepcopy` library that was replaced in the fix has no known CVE or security advisory regarding this. The library functions as designed. It is not vulnerable. The vulnerability is in parse-server's own request processing logic. Parse-server's security-critical keyword denylist check runs after the deep copy step in the request pipeline. The deep copy step strips `__proto__` properties as a normal part of its cloning behavior, which means the denylist check never sees the prohibited key. This allows an attacker to bypass both the denylist protection and class-level permissions for adding fields, resulting in schema poisoning. The root cause is parse-server's reliance on a cloning mechanism that alters the shape of the data before the security check can inspect it. This is a logic flaw in parse-server's security pipeline, not a vulnerability in a dependency. Replacing the cloning mechanism was the fix for parse-server's own bug. |
Affected by 29 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-6n48-nv1g-6uc2
Aliases: CVE-2022-39225 GHSA-6w4q-23cf-j9jp GMS-2022-4383 |
parse-server's session object properties can be updated by foreign user if object ID is known ### Impact A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object. Note that assigning a session to a foreign user does not usually change the privileges of neither of the two users, according to how Parse Server uses session objects internally. However, if custom logic is used to relate specific session objects to privileges this vulnerability may have a higher level of severity. The vulnerability does not allow a foreign user to assign a session object to themselves, read the session token, and then reassign the session object to the original user to then authenticate as that user with the known session token. The vulnerability only exists for foreign session objects, a user cannot assign their own session to another user. While it is unlikely that the session object ID of another user is known, it is possible to brute-force guess an object ID, even though the attacker would not know to which user a successfully guessed session object ID belongs. ### Patches The fix prevents writing to foreign session objects, even if the session object ID is known. ### Workarounds Add a `beforeSave` trigger to the `_Session` class and prevent writing if the requesting user is different from the user in the session object. ### References - GitHub advisory [GHSA-6w4q-23cf-j9jp](https://github.com/parse-community/parse-server/security/advisories/GHSA-6w4q-23cf-j9jp) |
Affected by 86 other vulnerabilities. Affected by 86 other vulnerabilities. |
|
VCID-6r8m-wpe8-xfhq
Aliases: CVE-2022-24901 GHSA-qf8x-vqjv-92gr |
Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it. |
Affected by 91 other vulnerabilities. Affected by 91 other vulnerabilities. |
|
VCID-7ne4-7a82-9yfx
Aliases: CVE-2023-22474 GHSA-vm5r-c87r-pf6x GMS-2023-196 |
Duplicate This advisory duplicates another. |
Affected by 81 other vulnerabilities. |
|
VCID-7spb-rcbx-w7gn
Aliases: CVE-2026-31856 GHSA-q3vj-96h2-gwvg |
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The `amount` value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. |
Affected by 44 other vulnerabilities. Affected by 44 other vulnerabilities. |
|
VCID-7xk3-yn6w-nfd1
Aliases: CVE-2026-30972 GHSA-775h-3xrc-c228 |
Parse Server has a rate limit bypass via batch request endpoint Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (`/batch`) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. |
Affected by 48 other vulnerabilities. Affected by 48 other vulnerabilities. |
|
VCID-82fj-6jd2-hqc1
Aliases: CVE-2026-34363 GHSA-m983-v2ff-wq65 |
LiveQuery protected field leak via shared mutable state across concurrent subscribers ### Impact When multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. ### Patches The fix deep-clones the shared objects at the start of each subscriber's processing callback, ensuring each subscriber works on an independent copy. Additionally, a bug was fixed where master key LiveQuery clients could not receive events on classes with protected fields due to an incorrect type passed to the sensitive data filter. ### Workarounds There is no known workaround. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65 - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10330 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10331 |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-8d4r-sv2m-hqhe
Aliases: CVE-2026-29182 GHSA-vc89-5g3r-cmhh |
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction Parse Server's `readOnlyMasterKey` option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the `readOnlyMasterKey` for mutating operations. This allows a caller who only holds the `readOnlyMasterKey` to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the `readOnlyMasterKey` option is affected. Note than an attacker needs to know the `readOnlyMasterKey` to exploit this vulnerability. |
Affected by 67 other vulnerabilities. Affected by 68 other vulnerabilities. |
|
VCID-8gsh-j1b9-3bew
Aliases: CVE-2026-30947 GHSA-7ch5-98q2-7289 |
Parse Server has a bypass of class-level permissions in LiveQuery Class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. |
Affected by 55 other vulnerabilities. Affected by 55 other vulnerabilities. |
|
VCID-8xmh-99mq-ybbf
Aliases: CVE-2026-30967 GHSA-fr88-w35c-r596 |
Parse Server OAuth2 authentication adapter account takeover via identity spoofing The OAuth2 authentication adapter, when configured without the `useridField` option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by `authData.id`. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with `oauth2: true`) without setting the `useridField` option. |
Affected by 49 other vulnerabilities. Affected by 49 other vulnerabilities. |
|
VCID-8zde-nj53-ebhu
Aliases: CVE-2026-31840 GHSA-qpr4-jrj4-6f27 |
Parse Server: SQL injection via dot-notation field name in PostgreSQL An attacker can use a dot-notation field name in combination with the `sort` query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the `distinct` and `where` query parameters. This vulnerability only affects deployments using a PostgreSQL database. |
Affected by 45 other vulnerabilities. Affected by 45 other vulnerabilities. |
|
VCID-9fqm-a5xk-j7d5
Aliases: CVE-2026-30938 GHSA-q342-9w2p-57fp |
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement The `requestKeywordDenylist` security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom `requestKeywordDenylist` entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The `requestKeywordDenylist` is enabled by default. |
Affected by 59 other vulnerabilities. Affected by 59 other vulnerabilities. |
|
VCID-9kyv-xmvr-nfgf
Aliases: CVE-2026-32242 GHSA-2cjm-2gwv-m892 |
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. |
Affected by 36 other vulnerabilities. Affected by 36 other vulnerabilities. |
|
VCID-9zya-mcv5-s7g8
Aliases: CVE-2022-39396 GHSA-prm5-8g2m-24gg GMS-2022-6498 |
Remote code execution via MongoDB BSON parser through prototype pollution ### Impact An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. ### Patches Prevent prototype pollution in MongoDB database adapter. ### Workarounds Disable remote code execution through the MongoDB BSON parser. ### Collaborators Mikhail Shcherbakov (KTH), Cristian-Alexandru Staicu (CISPA) and Musard Balliu (KTH) working with Trend Micro Zero Day Initiative ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-prm5-8g2m-24gg |
Affected by 83 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-agc3-jfsf-kbhh
Aliases: CVE-2026-33409 GHSA-pfj7-wv7c-22pr |
Parse Server has an auth provider validation bypass on login via partial authData ### Impact An authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option `allowExpiredAuthDataToken` is set to `true`. The default value is `false`. ### Patches Auth providers are now always validated on login, regardless of the `allowExpiredAuthDataToken` setting. The option `allowExpiredAuthDataToken` has been deprecated and will be removed in a future major version. ### Workarounds Set `allowExpiredAuthDataToken` to `false` (the default) or remove the option from the server configuration. |
Affected by 22 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-au5b-pexg-tubt
Aliases: CVE-2026-30966 GHSA-5f92-jrq3-28rc |
Parse Server has role escalation and CLP bypass via direct `_Join` table write Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a `pointerFields` CLP bypasses that access control. |
Affected by 51 other vulnerabilities. Affected by 51 other vulnerabilities. |
|
VCID-avfq-2nfn-fkdw
Aliases: CVE-2024-27298 GHSA-6927-3vr9-fxf2 |
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection ### Impact This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. ### Patches The algorithm to detect SQL injection has been improved. ### Workarounds None. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2 - https://github.com/parse-community/parse-server/releases/tag/6.5.0 (fixed in Parse Server 6) - https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 (fixed in Parse Server 7 alpha release) ### Credits - Mikhail Shcherbakov (https://twitter.com/yu5k3) working with Trend Micro Zero Day Initiative (finder) - Ehsan Persania (remediation developer) - Manuel Trezza (coordinator) |
Affected by 76 other vulnerabilities. Affected by 74 other vulnerabilities. |
|
VCID-b3ks-95ke-m7dz
Aliases: CVE-2025-68150 GHSA-3f5f-xgrj-97pf |
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter The Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. |
Affected by 69 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 69 other vulnerabilities. |
|
VCID-bgdt-2pkg-rbaj
Aliases: CVE-2024-39309 GHSA-c2hr-cqg6-8j6r |
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. |
Affected by 74 other vulnerabilities. Affected by 75 other vulnerabilities. |
|
VCID-c1nt-b6by-m7hu
Aliases: CVE-2026-33627 GHSA-37mj-c2wf-cx96 |
Parse Server exposes auth data via /users/me endpoint ### Impact An authenticated user calling `GET /users/me` receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. ### Patches The `/users/me` endpoint now queries the session and user data separately, using the caller's authentication context for the user query so that all security layers apply correctly. ### Workarounds There is no known workaround. |
Affected by 13 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-caaw-qhvr-nqaz
Aliases: CVE-2026-30948 GHSA-hcj7-6gxh-24ww |
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload A stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with `Content-Type: image/svg+xml` and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from `localStorage` and achieve account takeover. The default `fileExtensions` option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (the default) are affected. |
Affected by 54 other vulnerabilities. Affected by 54 other vulnerabilities. |
|
VCID-crd1-u2dd-6yh2
Aliases: CVE-2026-33538 GHSA-g4cf-xj29-wqqr |
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers ### Impact An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. ### Patches The fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database. ### Workarounds There is no known workaround other than upgrading. |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-cuaf-2g3g-tuap
Aliases: CVE-2026-33421 GHSA-fph2-r4qg-9576 |
Parse Server's LiveQuery bypasses CLP pointer permission enforcement ### Impact Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (`readUserFields` and `pointerFields`). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. ### Patches The LiveQuery server now enforces pointer permissions on each event. After the existing check passes (which defers pointer permissions by design), the fix checks whether any configured pointer field on the object points to the subscribing user. Events for objects that don't match are silently skipped, consistent with how ACL mismatches are handled. ### Workarounds Use ACLs on individual objects to restrict read access instead of relying solely on CLP pointer permissions. ACLs are enforced by LiveQuery. |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-cuct-x9ub-1bd9
Aliases: CVE-2026-33539 GHSA-p2w6-rmh7-w8q3 |
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter ### Impact An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate `$group` pipeline stage or the `distinct` operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. ### Patches Field names in the aggregate `$group._id` object values and `distinct` dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the `:raw` interpolation used in the PostgreSQL storage adapter. ### Workarounds No workaround. Upgrade to a patched version. |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-d13k-gc2w-7yc1
Aliases: CVE-2023-36475 GHSA-462x-c3jw-7vr6 |
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1. |
Affected by 79 other vulnerabilities. Affected by 77 other vulnerabilities. Affected by 79 other vulnerabilities. Affected by 78 other vulnerabilities. |
|
VCID-davb-xyy3-2qf1
Aliases: CVE-2026-35200 GHSA-vr5f-2r24-w5hc |
Parse Server: File upload Content-Type override via extension mismatch ### Impact A file can be uploaded with a filename extension that passes the file extension allowlist (e.g., `.txt`) but with a `Content-Type` header that differs from the extension (e.g., `text/html`). The `Content-Type` is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. ### Patches The file upload now derives the Content-Type from the filename extension, overriding any user-provided Content-Type when the file has an extension. ### Workarounds Configure the storage adapter or CDN to derive Content-Type from the filename extension instead of using the stored Content-Type. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-dazy-p9qb-7qgk
Aliases: CVE-2026-30949 GHSA-48mh-j4p5-7j9v |
Parse Server missing audience validation in Keycloak authentication adapter The Keycloak authentication adapter does not validate the `azp` (authorized party) claim of Keycloak access tokens against the configured `client-id`. A valid access token issued by the same Keycloak realm for a *different* client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. |
Affected by 53 other vulnerabilities. Affected by 53 other vulnerabilities. |
|
VCID-eh2m-7t9f-tqdm
Aliases: CVE-2026-33163 GHSA-5hmj-jcgp-6hff |
Parse Server leaks protected fields via LiveQuery afterEvent trigger ### Impact When a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-Level Permissions (`protectedFields`) are included in LiveQuery event payloads for all event types (create, update, delete, enter, leave). Any user with sufficient CLP permissions to subscribe to the affected class can receive protected field data of other users, including sensitive personal information and OAuth tokens from third-party authentication providers. ### Patches The vulnerability was caused by a reference detachment bug. When an `afterEvent` trigger is registered, the LiveQuery server converts the event object to a `Parse.Object` for the trigger, then creates a new JSON copy via `toJSONwithObjects()`. The sensitive data filter was applied to the `Parse.Object` reference, but the unfiltered JSON copy was sent to clients. The fix ensures that the JSON copy is assigned back to the response object before filtering, so the filter operates on the actual data sent to clients. ### Workarounds Remove all `Parse.Cloud.afterLiveQueryEvent` trigger registrations. Without an `afterEvent` trigger, the reference detachment does not occur and protected fields are correctly filtered. |
Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-f6mm-th5w-fug4
Aliases: CVE-2026-34532 GHSA-vpj2-qq7w-5qq6 |
parse-server has cloud function validator bypass via prototype chain traversal ### Impact An attacker can bypass Cloud Function validator access controls by appending `.prototype.constructor` to the function name in the URL. When a Cloud Function handler is declared using the `function` keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as `requireUser`, `requireMaster`, or custom validation logic. ### Patches The trigger store traversal now verifies that each intermediate node is a legitimate store object before continuing traversal. If the traversal encounters a non-store value such as a function handler, it stops and returns an empty store, preventing prototype chain escape. ### Workarounds Use arrow functions instead of the `function` keyword for Cloud Function handlers. Arrow functions do not have a `prototype` property and are not affected by this vulnerability. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10342 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10343 |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-faws-rh1j-tba1
Aliases: CVE-2026-32886 GHSA-4263-jgmp-7pf4 |
Parse Server's Cloud function dispatch crashes server via prototype chain traversal ### Impact Remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. ### Patches The fix restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. ### Workarounds There is no known workaround. |
Affected by 27 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-fnb8-edpu-e3e3
Aliases: CVE-2026-33508 GHSA-6qh5-m6g3-xhq6 |
Parse Server LiveQuery subscription query depth bypass ### Impact Parse Server's LiveQuery component does not enforce the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. Deployments are affected when the LiveQuery WebSocket endpoint is reachable by untrusted clients. ### Patches The fix adds query condition depth validation to the LiveQuery subscription handler, enforcing the same `requestComplexity.queryDepth` limit that already protects REST API queries. ### Workarounds There is no known workaround other than upgrading. |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-fuju-xn2f-73a6
Aliases: CVE-2022-39231 GHSA-r657-33vp-gp22 GMS-2022-4384 |
parse-server auth adapter app ID validation can be circumvented ### Impact Validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. This fixes a vulnerability that affects configurations which allow users to authenticate using the Parse Server authentication adapter for _Facebook_ or _Spotify_ and where the server-side authentication adapter configuration `appIds` is set as a string (e.g. `abc`) instead of an array of strings (e.g. `["abc"]`). The vulnerability makes it possible to authenticate requests which are coming from a _Facebook_ or _Spotify_ app with a different app ID than the one specified in the `appIds` configuration. Both adapters still validate the access token with the respective authentication provider. An app ID is automatically assigned by the authentication provider. For this vulnerability to be exploited, an attacker would have to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID. The documentation did not explicitly specify that the parameter `appIds` must be set as an array of strings and setting a string also worked. Therefore, there is a possibility that there are deployments where `appIds` is set as a string, making them vulnerable. ### Patches The fix makes Parse Server check the type of the value set for `appIds` and throws an error if the value is not an array. ### Workarounds No known workarounds. ### References - GitHub advisory [GHSA-r657-33vp-gp22](https://github.com/parse-community/parse-server/security/advisories/GHSA-r657-33vp-gp22) |
Affected by 85 other vulnerabilities. Affected by 85 other vulnerabilities. |
|
VCID-g9mj-kud1-d7a3
Aliases: CVE-2026-32770 GHSA-827p-g5x5-h86c |
Parse Server LiveQuery subscription with invalid regular expression crashes server ### Impact A remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. ### Patches The fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process. ### Workarounds Disable LiveQuery if it is not needed. |
Affected by 30 other vulnerabilities. Affected by 30 other vulnerabilities. |
|
VCID-gkng-gbtu-hkc1
Aliases: CVE-2023-46119 GHSA-792q-q67h-w579 |
Parse Server may crash when uploading file without extension ### Impact Parse Server crashes when uploading a file without extension. ### Patches A permanent fix has been implemented to prevent the server from crashing. ### Workarounds There are no known workarounds. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579 - Patched in Parse Server 6: https://github.com/parse-community/parse-server/releases/tag/6.3.1 - Patched in Parse Server 5 (LTS): https://github.com/parse-community/parse-server/releases/tag/5.5.6 |
Affected by 77 other vulnerabilities. Affected by 77 other vulnerabilities. |
|
VCID-gzbr-zm1b-nkfc
Aliases: CVE-2026-33498 GHSA-9fjp-q3c4-6w3j |
Parse Server has a query condition depth bypass via pre-validation transform pipeline ### Impact An attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. ### Patches The query condition nesting depth is now validated before the query enters the transformation pipeline, preventing deeply nested structures from being recursively processed before the existing depth guard can fire. ### Workarounds None. |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-h8hu-n8dv-ybhy
Aliases: CVE-2026-32742 GHSA-5v7g-9h8f-8pgg |
Parse Server session creation endpoint allows overwriting server-generated session fields ### Impact An authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value. ### Patches The session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten. ### Workarounds Add a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`. |
Affected by 31 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-h8ut-tkq6-r7e2
Aliases: CVE-2026-34224 GHSA-w73w-g5xw-rwhf |
Parse Server has an MFA single-use token bypass via concurrent authData login requests ### Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. ### Patches The fix adds optimistic locking to the authData login path, ensuring that concurrent database updates for the same user fail when the original MFA token array has already been modified by another request. ### Workarounds There is no known workaround. |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-j6q8-5bxf-7fcf
Aliases: CVE-2026-33323 GHSA-h29g-q5c2-9h4f |
Parse Server email verification resend page leaks user existence ### Impact The Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing `emailVerifySuccessOnInvalidEmail` configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. ### Patches The email verification resend routes now respect the `emailVerifySuccessOnInvalidEmail` option. When set to `true` (the default), both routes redirect to the success page regardless of the outcome, preventing user enumeration. ### Workarounds There is no known workaround to prevent the information disclosure other than upgrading. |
Affected by 22 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-j9vu-d52s-ekgq
Aliases: CVE-2026-33624 GHSA-2299-ghjr-6vjp |
Parse Server: MFA recovery code single-use bypass via concurrent requests ### Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. ### Patches The login handler now uses optimistic locking when updating auth data that contains consumed single-use tokens. If a concurrent request has already modified the recovery array, the update fails and the login is rejected. ### Workarounds There are no known workarounds. |
Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-jnuv-zhzb-nygr
Aliases: CVE-2026-27804 GHSA-4q3h-vp4r-prv2 |
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter An unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google account, without knowing their credentials. All deployments with Google authentication enabled are affected. |
Affected by 68 other vulnerabilities. Affected by 69 other vulnerabilities. |
|
VCID-jsgf-t1ga-x7eq
Aliases: CVE-2026-43930 GHSA-jpq4-7fmq-q5fj |
parse-server: MFA SMS one-time password accepted twice under concurrent login ### Impact A race condition in the MFA SMS one-time password (OTP) login path allows two concurrent `/login` requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This advisory is the same class of incomplete fix as [GHSA-2299-ghjr-6vjp](https://github.com/parse-community/parse-server/security/advisories/GHSA-2299-ghjr-6vjp) (TOTP recovery codes) and [GHSA-w73w-g5xw-rwhf](https://github.com/parse-community/parse-server/security/advisories/GHSA-w73w-g5xw-rwhf) (MFA recovery in authData-only login). Those previous fixes added optimistic locking only for array-typed authData fields; SMS MFA stores the OTP as a string, so the guard skipped it. ### Patches The optimistic lock has been generalized to cover primitive (string, number, boolean) and array authData fields. The lock is implemented as a shared helper `applyAuthDataOptimisticLock` that adds equality predicates on the original values of changed fields to the update WHERE clause. Concurrent writers racing the same single-use token now miss the WHERE condition and surface as `Invalid auth data`. ### Workarounds - Disable SMS MFA and use TOTP instead (TOTP tokens are time-window validated, not stored single-use). - Place a rate limiter on the `/login` endpoint to reduce concurrent-request burst capacity. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jpq4-7fmq-q5fj - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10448 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10449 |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-k86f-a3gq-hbbv
Aliases: CVE-2022-41878 GHSA-xprv-wvh7-qqqx GMS-2022-6626 |
Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers ### Impact Keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option. ### Patches Improved keyword detection. ### Workarounds Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature. ### Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-xprv-wvh7-qqqx |
Affected by 82 other vulnerabilities. Affected by 83 other vulnerabilities. |
|
VCID-k91x-3e4k-8bef
Aliases: CVE-2022-31089 GHSA-xw6g-jjvf-wwf9 GMS-2022-2518 |
Invalid file request can crash server ### Impact Certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as a single instance without redundancy, the availability impact may be high. ### Patches To prevent this, invalid requests are now properly handled. ### Workarounds None ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-xw6g-jjvf-wwf9 - https://github.com/parse-community/parse-server ### For more information - For questions or comments about this vulnerability visit our [community forum](http://community.parseplatform.org/) or [community chat](http://chat.parseplatform.org/) - Report other vulnerabilities at [report.parseplatform.org](https://report.parseplatform.org/) |
Affected by 89 other vulnerabilities. Affected by 89 other vulnerabilities. |
|
VCID-kpnd-nb3e-2ufx
Aliases: CVE-2026-34215 GHSA-wp76-gg32-8258 |
Parse Server exposes auth data via verify password endpoint ### Impact The verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. ### Patches The verify password endpoint now sanitizes authentication data through auth adapter hooks before returning the response, consistent with login and user retrieval endpoints. ### Workarounds There is no known workaround. |
Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-m9r5-g4pw-q7cx
Aliases: CVE-2026-31875 GHSA-4hf6-3x24-c9m8 |
Parse Server's MFA recovery codes not consumed after use When multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. |
Affected by 40 other vulnerabilities. Affected by 40 other vulnerabilities. |
|
VCID-mpu4-c9v9-wbdd
Aliases: CVE-2026-32234 GHSA-c442-97qw-j6c6 |
Parse Server has a SQL injection via query field name when using PostgreSQL ### Impact An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. ### Patches The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. ### Workarounds There is no known workaround. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36 |
Affected by 37 other vulnerabilities. Affected by 37 other vulnerabilities. |
|
VCID-msej-ykyc-qyhp
Aliases: CVE-2023-32689 GHSA-9prm-jqwx-45x9 |
Phishing attack vulnerability by uploading malicious HTML file Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 is vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain. An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker. The fix included in versions 5.4.4 and 6.1.1 adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `['.*']` or another custom value to override the default. |
Affected by 0 other vulnerabilities. Affected by 80 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 80 other vulnerabilities. |
|
VCID-n19y-uwm6-3udp
Aliases: CVE-2026-32594 GHSA-p2x3-8689-cwpg |
Parse Server's GraphQL WebSocket endpoint bypasses security middleware ### Impact Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. ### Patches The unfinished GraphQL WebSocket subscription feature has been removed, including the `createSubscriptions` method and the `subscriptions-transport-ws` dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types. ### Workarounds Block WebSocket upgrade requests to the GraphQL subscriptions path (by default `/subscriptions`) at the network level, for example using a reverse proxy or load balancer rule. |
Affected by 33 other vulnerabilities. Affected by 33 other vulnerabilities. |
|
VCID-n514-mj64-wkfb
Aliases: CVE-2026-30863 GHSA-x6fw-778m-wr9v |
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (`clientId` for Google/Apple, `appIds` for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. - For Google and Apple, the vulnerability is exploitable when the server does not configure `clientId`. The adapters accepted this as valid and simply skipped audience validation. - For Facebook Limited Login, the vulnerability exists regardless of configuration. The adapter validated `appIds` only for Standard Login (Graph API), but the Limited Login JWT path never passed `appIds` as the audience to JWT verification. |
Affected by 61 other vulnerabilities. Affected by 61 other vulnerabilities. |
|
VCID-n8kv-67nw-xbaw
Aliases: CVE-2026-34574 GHSA-f6j3-w9v3-cq22 |
Parse Server has a session field immutability bypass via falsy-value guard ### Impact An authenticated user can bypass the immutability guard on session fields (`expiresAt`, `createdWith`) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. ### Patches The truthiness-based guard checks were replaced with key-presence checks that reject any value for protected session fields, including null. ### Workarounds There is no known workaround. A `beforeSave` trigger on `_Session` could be used to reject null values for `expiresAt` and `createdWith`. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-nnat-huec-buht
Aliases: CVE-2026-30965 GHSA-6r2j-cxgf-495f |
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the `redirectClassNameForKey` query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. |
Affected by 50 other vulnerabilities. Affected by 50 other vulnerabilities. |
|
VCID-nqnd-8hx6-5bh4
Aliases: CVE-2026-31901 GHSA-w54v-hf9p-8856 |
Parse Server vulnerable to user enumeration via email verification endpoint The email verification endpoint (`/verificationEmailRequest`) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (`verifyUserEmails: true`). |
Affected by 39 other vulnerabilities. Affected by 39 other vulnerabilities. |
|
VCID-p1jm-h97h-vkhv
Aliases: CVE-2026-32943 GHSA-r3xq-68wh-gwvh |
Parse Server has a password reset token single-use bypass via concurrent requests ### Impact The password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. ### Patches The password reset token is now atomically validated and consumed as part of the password update operation. The database query that updates the password includes the reset token as a condition, ensuring that only one concurrent request can successfully consume the token. Subsequent requests using the same token will fail because the token has already been cleared. ### Workarounds There is no known workaround other than upgrading. |
Affected by 26 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-p27e-zbjb-ebbh
Aliases: CVE-2026-30941 GHSA-vgjh-hmwf-c588 |
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints A NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the `token` field in the password reset and email verification resend endpoints. The `token` value is passed to database queries without type validation and can be used to extract password reset and email verification tokens. Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When `emailVerifyTokenReuseIfValid` is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox access. |
Affected by 57 other vulnerabilities. Affected by 57 other vulnerabilities. |
|
VCID-p34v-j1s6-a7hn
Aliases: CVE-2026-30835 GHSA-9cp7-3q5w-j92g |
parse-server: Malformed `$regex` query leaks database error details in API response A malformed $regex query parameter (e.g. `[abc)` causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerability is exploitable by any client that can send query requests, depending on the deployment's permission configuration. |
Affected by 64 other vulnerabilities. Affected by 65 other vulnerabilities. |
|
VCID-pb34-8r9n-63ac
Aliases: CVE-2022-39313 GHSA-h423-w6qv-2wj3 GMS-2022-5505 |
parse-server crashes when receiving file download request with invalid byte range ### Impact Parse Server crashes when a file download request is received with an invalid byte range. ### Patches Improved parsing of the range parameter to properly handle invalid range requests. ### Workarounds None ### References - [GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3) |
Affected by 84 other vulnerabilities. Affected by 84 other vulnerabilities. |
|
VCID-pr98-q3e2-tydx
Aliases: CVE-2024-47183 GHSA-8xq9-g7ch-35hg |
Parse Server's custom object ID allows to acquire role privileges If the Parse Server option `allowCustomObjectId: true` is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. |
Affected by 73 other vulnerabilities. Affected by 74 other vulnerabilities. |
|
VCID-pt5h-ubds-5bah
Aliases: CVE-2024-29027 GHSA-6hh7-46r2-vf29 |
Server crashes on invalid Cloud Function or Cloud Job name Calling an invalid Parse Server Cloud Function name or Cloud Job name crashes server and may allow for code injection. |
Affected by 75 other vulnerabilities. Affected by 73 other vulnerabilities. |
|
VCID-pwb4-41pr-6kfs
Aliases: CVE-2026-31800 GHSA-7xg7-rqf6-pw6c |
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes The `_GraphQLConfig` and `_Audience` internal classes can be read, modified, and deleted via the generic `/classes/_GraphQLConfig` and `/classes/_Audience` REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated `/graphql-config` and `/push_audiences` endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. |
Affected by 47 other vulnerabilities. Affected by 47 other vulnerabilities. |
|
VCID-q8xg-vs4w-d7g7
Aliases: CVE-2026-30228 GHSA-xfh7-phr7-gr2x |
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction The `readOnlyMasterKey` can be used to create and delete files via the Files API (`POST /files/:filename`, `DELETE /files/:filename`). This bypasses the read-only restriction which violates the access scope of the `readOnlyMasterKey`. Any Parse Server deployment that uses `readOnlyMasterKey` and exposes the Files API is affected. An attacker with access to the `readOnlyMasterKey` can upload arbitrary files or delete existing files. |
Affected by 66 other vulnerabilities. Affected by 67 other vulnerabilities. |
|
VCID-qbz7-9nkp-xfew
Aliases: CVE-2026-30946 GHSA-cmj3-wx7h-ffvg |
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API An unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. |
Affected by 56 other vulnerabilities. Affected by 56 other vulnerabilities. |
|
VCID-qupn-1ytd-tkae
Aliases: CVE-2026-31828 GHSA-7m6r-fhh7-r47c |
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction The LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (`authData.id`) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. |
Affected by 46 other vulnerabilities. Affected by 46 other vulnerabilities. |
|
VCID-r432-uepe-vuah
Aliases: CVE-2026-30939 GHSA-5j86-7r7m-p8h6 |
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. |
Affected by 58 other vulnerabilities. Affected by 58 other vulnerabilities. |
|
VCID-r9jq-4te8-xkfb
Aliases: CVE-2026-34595 GHSA-mmg8-87c5-jrc2 |
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value ### Impact An authenticated user with `find` class-level permission can bypass the `protectedFields` class-level permission setting on LiveQuery subscriptions. By sending a subscription with a `$or`, `$and`, or `$nor` operator value as a plain object with numeric keys and a `length` property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. ### Patches The fix validates that `$or`, `$and`, and `$nor` operator values are arrays in the LiveQuery subscription handler, the query depth checker, and the protected-field guard. As defense in depth, the LiveQuery query evaluator also rejects non-array values for these operators. ### Workarounds There is no known workaround. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-rede-vp9p-wyeq
Aliases: CVE-2022-24760 GHSA-p6h4-93qp-jhcm |
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm. |
Affected by 92 other vulnerabilities. |
|
VCID-sd7z-5aa7-f7aw
Aliases: CVE-2026-39321 GHSA-mmpq-5hcv-hf2v |
Parse Server has a login timing side-channel reveals user existence ### Impact The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. ### Patches A dummy bcrypt comparison is now performed when no user is found, normalizing response timing regardless of user existence. Additionally, accounts without a stored password (e.g. OAuth-only) now also run a dummy comparison to prevent the same timing oracle. ### Workarounds Configure rate limiting on the login endpoint to slow automated enumeration. This reduces throughput but does not eliminate the timing signal for individual requests. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-sdps-4hhb-ebfw
Aliases: CVE-2022-36079 GHSA-2m6g-crv8-p3c6 |
Parse Server vulnerable to brute force guessing of user sensitive data via search patterns ### Impact Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object. ### Patches The patch requires the master key to use internal and protected fields as query constraints. ### Workarounds Implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints, such as: ```js Parse.Cloud.beforeFind('TestObject', ({ query }) => { for (const key in query._where || []) { // Repeat logic for protected fields if (key.charAt(0) === '_') { delete query._where[key]; } } }); ``` ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6 |
Affected by 87 other vulnerabilities. Affected by 87 other vulnerabilities. |
|
VCID-shyz-tw66-b3gv
Aliases: CVE-2026-30850 GHSA-hwx8-q9cg-mqmc |
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization The file metadata endpoint (GET `/files/:appId/metadata/:filename`) does not enforce `beforeFind` / `afterFind` file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any deployment that relies on `Parse.Cloud.beforeFind(Parse.File, ...)` to restrict file access. Only file metadata (user-defined key-value pairs set via addMetadata) is exposed; file content remains protected. |
Affected by 62 other vulnerabilities. Affected by 63 other vulnerabilities. |
|
VCID-twrs-rk3t-f3gf
Aliases: CVE-2026-32728 GHSA-42ph-pf9q-cr72 |
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries ### Impact An attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail matching against the blocklist, allowing active content to be stored and served under the application's domain. In addition, certain XML-based file extensions that can render scripts in web browsers are not included in the default blocklist. This can lead to stored XSS attacks, compromising session tokens, user credentials, or other sensitive data accessible via the browser's local storage. ### Patches The fix strips MIME parameters from the `Content-Type` header before validating the file extension against the blocklist. The default blocklist has also been extended to include additional XML-based extensions (`xsd`, `rng`, `rdf`, `rdf+xml`, `owl`, `mathml`, `mathml+xml`) that can render active content in web browsers. Note that the `fileUpload.fileExtensions` option is intended to be configured as an allowlist of file extensions that are valid for a specific application, not as a denylist. The default denylist is provided only as a basic default that covers most common problematic extensions. It is not intended to be an exhaustive list of all potentially dangerous extensions. Developers should not rely on the default value, as new extensions that can render active content in browsers might emerge in the future. ### Workarounds Configure the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions that your application needs, rather than relying on the default blocklist. |
Affected by 32 other vulnerabilities. Affected by 32 other vulnerabilities. |
|
VCID-v5t3-r3mz-13gc
Aliases: CVE-2026-33527 GHSA-jc39-686j-wp6q |
Parse Server's Session Update endpoint allows overwriting server-generated session fields ### Impact An authenticated user can overwrite server-generated session fields such as `expiresAt` and `createdWith` when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. ### Patches The fix blocks authenticated users from setting `expiresAt` and `createdWith` fields when updating a session. Master key and maintenance key operations are not affected. ### Workarounds There is no known workaround other than upgrading. ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-jc39-686j-wp6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10263 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10264 |
Affected by 17 other vulnerabilities. Affected by 17 other vulnerabilities. |
|
VCID-v7yq-ntze-e3b1
Aliases: CVE-2022-41879 GHSA-93vw-8fm5-p2jf GMS-2022-6745 |
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks ### Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. ### Patches Improved keyword detection. ### Workarounds None. ### Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-93vw-8fm5-p2jf |
Affected by 81 other vulnerabilities. Affected by 82 other vulnerabilities. |
|
VCID-w48t-hex5-qkcs
Aliases: CVE-2026-34784 GHSA-hpm8-9qx6-jvwv |
Parser Server's streaming file download bypasses afterFind file trigger authorization ### Impact File downloads via HTTP Range requests bypass the `afterFind(Parse.File)` trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by `afterFind` trigger authorization logic or built-in validators such as `requireUser`. ### Patches The streaming file download path now executes the `afterFind(Parse.File)` trigger before sending any data. Authentication is resolved from the session token header so that trigger validators can distinguish authenticated from unauthenticated requests. ### Workarounds Use `beforeFind(Parse.File)` instead of `afterFind(Parse.File)` for file access authorization. The `beforeFind` trigger runs on all download paths including streaming. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-w51h-8rx9-5yaw
Aliases: CVE-2026-30229 GHSA-79wj-8rqv-jvp5 |
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user The `readOnlyMasterKey` can call `POST /loginAs` to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses `readOnlyMasterKey` is affected. |
Affected by 65 other vulnerabilities. Affected by 66 other vulnerabilities. |
|
VCID-wazt-mb6n-dudq
Aliases: CVE-2026-30962 GHSA-72hp-qff8-4pvv |
Parse Server has a protected fields bypass via logical query operators The validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. |
Affected by 52 other vulnerabilities. Affected by 52 other vulnerabilities. |
|
VCID-wh63-a1pu-c3g2
Aliases: CVE-2026-32248 GHSA-5fw2-8jcv-xh87 |
Parse Server: Account takeover via operator injection in authentication data identifier An unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default) is vulnerable. |
Affected by 35 other vulnerabilities. Affected by 35 other vulnerabilities. |
|
VCID-wu9b-cdwh-mka2
Aliases: CVE-2025-64502 GHSA-7cx5-254x-cgrq |
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Parse Server permits any client to execute explain queries without requiring the master key. This exposes: - Database schema structure and field names - Index configurations and query optimization details - Query execution statistics and performance metrics - Potential attack vectors for database performance exploitation |
Affected by 71 other vulnerabilities. |
|
VCID-ww53-ctcz-r7bp
Aliases: CVE-2026-32944 GHSA-9xp9-j92r-p88v |
Parse Server crash via deeply nested query condition operators ### Impact An unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. ### Patches A depth limit for query condition operator nesting has been added via the `requestComplexity.queryDepth` server option. The option is disabled by default to avoid a breaking change. To mitigate, upgrade and set the option to a value appropriate for your app. ### Workarounds None. |
Affected by 28 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-xpuh-u9nt-m7dt
Aliases: CVE-2026-33429 GHSA-qpc3-fg4j-8hgm |
Parse Server has a protected field change detection oracle via LiveQuery watch parameter ### Impact An attacker can subscribe to LiveQuery with a `watch` parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. ### Patches The `watch` parameter is now validated against protected fields at subscription time, mirroring the existing validation for the `where` clause. Subscriptions that include protected fields in `watch` are rejected with a permission error. Master key connections are exempt. ### Workarounds None. |
Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-z7cb-6ruj-4bf2
Aliases: CVE-2025-30168 GHSA-837q-jhwx-cmpv |
Parse Server has an OAuth login vulnerability The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. Note that this only affects Parse Server apps that specifically use an affected 3rd party authentication provider for user authentication, for example by setting the Parse Server option `auth` to configure a Parse Server authentication adapter. See the [3rd party authentication docs](https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication) for more information on which authentication providers are affected. |
Affected by 73 other vulnerabilities. Affected by 71 other vulnerabilities. Affected by 74 other vulnerabilities. |
|
VCID-ze79-p1vg-47fx
Aliases: CVE-2026-34573 GHSA-mfj6-6p54-m98c |
parse-server has GraphQL complexity validator exponential fragment traversal DoS ### Impact The GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the `requestComplexity.graphQLDepth` or `requestComplexity.graphQLFields` configuration options. ### Patches The fix replaces the per-branch fragment traversal with memoized fragment computation, reducing the traversal from exponential O(2^N) to linear O(N) time. Additionally, early termination aborts the traversal as soon as configured limits are exceeded. ### Workarounds Disable GraphQL complexity limits by setting `requestComplexity.graphQLDepth` and `requestComplexity.graphQLFields` to `-1` (the default). ### Resources - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c - Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10344 - Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10345 |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-vqqp-ywsb-bbhv | Exposure of Sensitive Information to an Unauthorized Actor For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload. |
CVE-2021-41109
GHSA-7pr3-p5fm-8r9x |