VulnerableCode Package Details - pkg:npm/parse-server@8.6.70

Search for packages

Vulnerability	Summary	Fixed by
VCID-14fp-bjdd-uffh Aliases: CVE-2026-39381 GHSA-g4v2-qx3q-4p64	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.	8.6.75 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.8.0-alpha.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-dhkw-d15h-rkb5 Aliases: CVE-2026-43930 GHSA-jpq4-7fmq-q5fj	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.	8.6.76 Affected by 0 other vulnerabilities. 9.9.0-alpha.2 Affected by 0 other vulnerabilities.
VCID-dyd6-6yy1-hyhn Aliases: CVE-2026-39321 GHSA-mmpq-5hcv-hf2v	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.	8.6.74 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.8.0-alpha.6 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-nt51-v9gk-w3e8 Aliases: CVE-2026-35200 GHSA-vr5f-2r24-w5hc	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.	8.6.73 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.7.1-alpha.4 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vmwk-3myb-u7ds Aliases: CVE-2026-34784 GHSA-hpm8-9qx6-jvwv	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.	8.6.71 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.7.1-alpha.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-14fp-bjdd-uffh
Aliases:
CVE-2026-39381
GHSA-g4v2-qx3q-4p64

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.

8.6.75
Affected by 1 other vulnerability.

9.8.0-alpha.7
Affected by 1 other vulnerability.

VCID-dhkw-d15h-rkb5
Aliases:
CVE-2026-43930
GHSA-jpq4-7fmq-q5fj

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.

8.6.76
Affected by 0 other vulnerabilities.

9.9.0-alpha.2
Affected by 0 other vulnerabilities.

VCID-dyd6-6yy1-hyhn
Aliases:
CVE-2026-39321
GHSA-mmpq-5hcv-hf2v

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.

8.6.74
Affected by 2 other vulnerabilities.

9.8.0-alpha.6
Affected by 2 other vulnerabilities.

VCID-nt51-v9gk-w3e8
Aliases:
CVE-2026-35200
GHSA-vr5f-2r24-w5hc

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.

8.6.73
Affected by 3 other vulnerabilities.

9.7.1-alpha.4
Affected by 3 other vulnerabilities.

VCID-vmwk-3myb-u7ds
Aliases:
CVE-2026-34784
GHSA-hpm8-9qx6-jvwv

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.

8.6.71
Affected by 4 other vulnerabilities.

9.7.1-alpha.1
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-cbrh-vg1p-3ua7	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.	CVE-2026-34595 GHSA-mmg8-87c5-jrc2

Vulnerability

Summary

Aliases

VCID-cbrh-vg1p-3ua7

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.

CVE-2026-34595
GHSA-mmg8-87c5-jrc2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:28:32.723979+00:00	GHSA Importer	Fixing	VCID-cbrh-vg1p-3ua7	https://github.com/advisories/GHSA-mmg8-87c5-jrc2	38.6.0
2026-06-12T22:20:29.776969+00:00	GitLab Importer	Affected by	VCID-dhkw-d15h-rkb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-43930.yml	38.6.0
2026-06-12T21:57:08.781872+00:00	GitLab Importer	Affected by	VCID-14fp-bjdd-uffh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-39381.yml	38.6.0
2026-06-12T21:56:38.311057+00:00	GitLab Importer	Affected by	VCID-dyd6-6yy1-hyhn	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-39321.yml	38.6.0
2026-06-12T21:53:22.547358+00:00	GitLab Importer	Affected by	VCID-nt51-v9gk-w3e8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-35200.yml	38.6.0
2026-06-12T21:46:27.418366+00:00	GitLab Importer	Affected by	VCID-vmwk-3myb-u7ds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-34784.yml	38.6.0
2026-06-12T21:46:11.515606+00:00	GitLab Importer	Fixing	VCID-cbrh-vg1p-3ua7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-34595.yml	38.6.0
2026-06-12T07:45:32.937417+00:00	GithubOSV Importer	Fixing	VCID-cbrh-vg1p-3ua7	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-mmg8-87c5-jrc2/GHSA-mmg8-87c5-jrc2.json	38.6.0