Search for packages
| purl | pkg:npm/parse-server@9.0.0-alpha.4 |
| Next non-vulnerable version | 9.9.0-alpha.2 |
| Latest non-vulnerable version | 9.9.1-alpha.2 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1j65-rdzh-6bc3
Aliases: CVE-2026-31871 GHSA-gqpp-xgvh-9h7h |
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. |
Affected by 42 other vulnerabilities. |
|
VCID-3pbu-nwcc-hydn
Aliases: CVE-2026-31868 GHSA-v5hf-f4c3-m5rv |
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types An attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server `fileUpload.fileExtensions` option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions and content types include `.svgz`, `.xht`, `.xml`, `.xsl`, `.xslt`, and content types `application/xhtml+xml` and `application/xslt+xml` for extensionless uploads. Uploading of `.html`, `.htm`, `.shtml`, `.xhtml`, and `.svg` files was already blocked. |
Affected by 43 other vulnerabilities. |
|
VCID-4geq-pnnp-3fd8
Aliases: CVE-2026-30925 GHSA-mf3j-86qx-cq5j |
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery A malicious client can subscribe to a LiveQuery with a crafted `$regex` pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine. |
Affected by 60 other vulnerabilities. |
|
VCID-51jb-xry5-5qc2
Aliases: CVE-2026-31872 GHSA-r2m8-pxm9-9c4g |
Parse Server has a protected fields bypass via dot-notation in query and sort The `protectedFields` class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. |
Affected by 41 other vulnerabilities. |
|
VCID-67gc-6w6e-rkcg
Aliases: CVE-2026-30848 GHSA-hm3f-q6rw-m6wh |
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory The `PagesRouter` static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured `pagesPath` directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. `pages-secret` starts with `pages`). This affects any Parse Server deployment with the `pages` feature enabled (`pages.enableRouter: true`). Exploitation requires a sibling directory of `pagesPath` whose name begins with the same string as the pages directory name. |
Affected by 64 other vulnerabilities. |
|
VCID-7spb-rcbx-w7gn
Aliases: CVE-2026-31856 GHSA-q3vj-96h2-gwvg |
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation (e.g., `stats.counter`). The `amount` value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. |
Affected by 44 other vulnerabilities. |
|
VCID-7xk3-yn6w-nfd1
Aliases: CVE-2026-30972 GHSA-775h-3xrc-c228 |
Parse Server has a rate limit bypass via batch request endpoint Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (`/batch`) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. |
Affected by 48 other vulnerabilities. |
|
VCID-8xmh-99mq-ybbf
Aliases: CVE-2026-30967 GHSA-fr88-w35c-r596 |
Parse Server OAuth2 authentication adapter account takeover via identity spoofing The OAuth2 authentication adapter, when configured without the `useridField` option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by `authData.id`. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with `oauth2: true`) without setting the `useridField` option. |
Affected by 49 other vulnerabilities. |
|
VCID-9fqm-a5xk-j7d5
Aliases: CVE-2026-30938 GHSA-q342-9w2p-57fp |
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement The `requestKeywordDenylist` security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom `requestKeywordDenylist` entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The `requestKeywordDenylist` is enabled by default. |
Affected by 59 other vulnerabilities. |
|
VCID-au5b-pexg-tubt
Aliases: CVE-2026-30966 GHSA-5f92-jrq3-28rc |
Parse Server has role escalation and CLP bypass via direct `_Join` table write Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such table that backs a Relation field used in a `pointerFields` CLP bypasses that access control. |
Affected by 51 other vulnerabilities. |
|
VCID-m9r5-g4pw-q7cx
Aliases: CVE-2026-31875 GHSA-4hf6-3x24-c9m8 |
Parse Server's MFA recovery codes not consumed after use When multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. |
Affected by 40 other vulnerabilities. |
|
VCID-n514-mj64-wkfb
Aliases: CVE-2026-30863 GHSA-x6fw-778m-wr9v |
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters The Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (`clientId` for Google/Apple, `appIds` for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. - For Google and Apple, the vulnerability is exploitable when the server does not configure `clientId`. The adapters accepted this as valid and simply skipped audience validation. - For Facebook Limited Login, the vulnerability exists regardless of configuration. The adapter validated `appIds` only for Standard Login (Graph API), but the Limited Login JWT path never passed `appIds` as the audience to JWT verification. |
Affected by 61 other vulnerabilities. |
|
VCID-nnat-huec-buht
Aliases: CVE-2026-30965 GHSA-6r2j-cxgf-495f |
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the `redirectClassNameForKey` query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. |
Affected by 50 other vulnerabilities. |
|
VCID-nqnd-8hx6-5bh4
Aliases: CVE-2026-31901 GHSA-w54v-hf9p-8856 |
Parse Server vulnerable to user enumeration via email verification endpoint The email verification endpoint (`/verificationEmailRequest`) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (`verifyUserEmails: true`). |
Affected by 39 other vulnerabilities. |
|
VCID-pwb4-41pr-6kfs
Aliases: CVE-2026-31800 GHSA-7xg7-rqf6-pw6c |
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes The `_GraphQLConfig` and `_Audience` internal classes can be read, modified, and deleted via the generic `/classes/_GraphQLConfig` and `/classes/_Audience` REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated `/graphql-config` and `/push_audiences` endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. |
Affected by 47 other vulnerabilities. |
|
VCID-qupn-1ytd-tkae
Aliases: CVE-2026-31828 GHSA-7m6r-fhh7-r47c |
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction The LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (`authData.id`) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. |
Affected by 46 other vulnerabilities. |
|
VCID-r432-uepe-vuah
Aliases: CVE-2026-30939 GHSA-5j86-7r7m-p8h6 |
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution An unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. |
Affected by 58 other vulnerabilities. |
|
VCID-shyz-tw66-b3gv
Aliases: CVE-2026-30850 GHSA-hwx8-q9cg-mqmc |
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization The file metadata endpoint (GET `/files/:appId/metadata/:filename`) does not enforce `beforeFind` / `afterFind` file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This affects any deployment that relies on `Parse.Cloud.beforeFind(Parse.File, ...)` to restrict file access. Only file metadata (user-defined key-value pairs set via addMetadata) is exposed; file content remains protected. |
Affected by 63 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||