VulnerableCode Package Details - pkg:npm/parse-server@8.6.75

Search for packages

Vulnerability	Summary	Fixed by
VCID-dhkw-d15h-rkb5 Aliases: CVE-2026-43930 GHSA-jpq4-7fmq-q5fj	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.	8.6.76 Affected by 0 other vulnerabilities. 9.9.0-alpha.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-dhkw-d15h-rkb5
Aliases:
CVE-2026-43930
GHSA-jpq4-7fmq-q5fj

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succeed and both receive valid session tokens, breaking the single-use property of the OTP. The vulnerability requires the attacker to already possess the victim's password and intercept the active SMS OTP (e.g. via SIM swap, network mirror, or phishing relay) and to race the legitimate login request, so the practical attack surface is narrow. This vulnerability is fixed in 8.6.76 and 9.9.0-alpha.2.

8.6.76
Affected by 0 other vulnerabilities.

9.9.0-alpha.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-14fp-bjdd-uffh	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.	CVE-2026-39381 GHSA-g4v2-qx3q-4p64

Vulnerability

Summary

Aliases

VCID-14fp-bjdd-uffh

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.

CVE-2026-39381
GHSA-g4v2-qx3q-4p64

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-13T06:28:50.265668+00:00	GHSA Importer	Fixing	VCID-14fp-bjdd-uffh	https://github.com/advisories/GHSA-g4v2-qx3q-4p64	38.6.0
2026-06-12T22:20:29.795885+00:00	GitLab Importer	Affected by	VCID-dhkw-d15h-rkb5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-43930.yml	38.6.0
2026-06-12T21:57:08.801480+00:00	GitLab Importer	Fixing	VCID-14fp-bjdd-uffh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/parse-server/CVE-2026-39381.yml	38.6.0
2026-06-12T07:46:23.395902+00:00	GithubOSV Importer	Fixing	VCID-14fp-bjdd-uffh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-g4v2-qx3q-4p64/GHSA-g4v2-qx3q-4p64.json	38.6.0