parse-server@2.7.3 vulnerabilities

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection when Parse Server is configured to use the PostgreSQL database. An attacker can execute arbitrary SQL commands.

Upgrade parse-server to version 6.5.7, 7.1.0 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Input Validation for Cloud Function names and Cloud Job names. Exploiting this vulnerability allows an attacker to cause a denial of service or execute arbitrary code by sending a specially crafted request.

Upgrade parse-server to version 6.5.5, 7.0.0-alpha.29 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection via a malicious PostgreSQL statement containing multiple quoted strings. This vulnerability is only present when the PostgreSQL engine is in use.

Upgrade parse-server to version 6.5.0, 7.0.0-alpha.20 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the file upload function. An attacker can cause the server to crash by uploading a file without an extension.

Upgrade parse-server to version 5.5.6, 6.3.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Access Restriction Bypass via the beforeFind trigger in the Parse Cloud. An attacker can bypass security layers and modify incoming queries by exploiting certain conditions in Parse.Query. This is only exploitable if the beforeFind trigger is used as a security layer to modify the incoming query.

Upgrade parse-server to version 5.5.5, 6.2.2 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution in the MongoDB BSON parser, which allows attackers to execute code on the affected system.

Upgrade parse-server to version 5.5.2, 6.2.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Arbitrary File Upload such that a malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.

Note:

An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.

Upgrade parse-server to version 5.5.0, 6.2.0 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass due to insufficient checks in the mechanism used to determine the client's IP address.

Upgrade parse-server to version 5.4.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution such that a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Upgrade parse-server to version 4.10.20, 5.3.3 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution such that keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.

Upgrade parse-server to version 4.10.19, 5.3.2 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution due to insufficient validation checks which can allow an attacker to trigger remote code execution.

Upgrade parse-server to version 4.10.18, 5.3.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) when receiving a file download request with an invalid byte range.

Upgrade parse-server to version 4.10.17, 5.2.8 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass where the session object properties can be updated by a foreign user if the object ID is known.

Upgrade parse-server to version 4.10.15, 5.2.6 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Authentication when the server-side authentication adapter configuration appIds is set as a string instead of an array of strings. The vulnerability makes it possible to authenticate requests coming from a Facebook or Spotify app with a different app ID than the one specified in the appIds configuration.

Note: This vulnerability affects environments with configurations that allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify.

Upgrade parse-server to version 4.10.16, 5.2.7 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure via internal fields (keys used internally by Parse Server, prefixed by _) and user-defined protected fields used as query constraints. An attacker can exploit this vulnerability by brute force and enumerating the time until Parse Server returns a response object.

Upgrade parse-server to version 4.10.14, 5.2.5 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure because the LiveQueryController does not remove protected fields in classes, passing them to the client.

Upgrade parse-server to version 4.10.13, 5.2.4 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to certain types of invalid files requests are not handled properly.

Note: If you are running multiple Parse Server instances in a cluster, the availability impact may be low. If you are running Parse Server as a single instance without redundancy, the availability impact may be high.

Upgrade parse-server to version 4.10.12, 5.2.3 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass due to missing validation of certificates from Apple Game Center. Thus, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.

Upgrade parse-server to version 4.10.11, 5.2.2 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass due to a weak validation of the Apple certificate URL in the Apple Game Center authentication adapter which allows attackers to make DoS attacks.

Upgrade parse-server to version 4.10.10, 5.2.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution in DatabaseController.js, which may lead to an RCE.

Upgrade parse-server to version 4.10.7 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Authentication. For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.

Upgrade parse-server to version 4.10.4 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS). It crashes if a query request contains an invalid value for the explain option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch.

Upgrade parse-server to version 4.10.3 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure. When an anonymous user is first signed up using REST, the server creates session incorrectly. Particularly, the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password. The server does not currently use createdWith to make decisions about internal functions, so if a developer is not using createdWith directly, they are not affected. The vulnerability only affects users who depend on createdWith by using it directly.

Upgrade parse-server to version 4.5.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release. It broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens.

Upgrade parse-server to version 4.4.0 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Input Validation. It is possible to fetch all the users' objects, by using regex for sessionToken in the NoSQL query: {"_SessionToken":{"$regex":"r:027f"}}. In addition, it is possible to verify someone else's account by simply using regex in the token param: http://localhost:1337/parse/apps/kickbox/verify_email?token[$regex]=a&username=some@email.com.

Upgrade parse-server to version 4.1.0 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Account Enumeration. ParseError.ACCOUNT_ALREADY_LINKED(208) is thrown before the AuthController checks the password and throws a ParseError.SESSION_MISSING(206) for Insufficient auth. An attacker can guess ids and get information about linked accounts and email addresses.

Upgrade parse-server to version 3.6.0 or higher.