parse-server@4.10.18 vulnerabilities

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Race Condition in the OAuth2 auth adapter. An attacker can gain unauthorized access by exploiting a race condition that causes token validation to occur against the wrong provider's configuration during concurrent authentication requests. This is only exploitable if multiple OAuth2 providers are configured via the oauth2: true flag.

Upgrade parse-server to version 8.6.37, 9.6.0-alpha.11 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure in the LiveQuery subscription process. An attacker can infer the values of protected fields by crafting a subscription with a WHERE clause that references protected fields, including using dot-notation or $regex, and observing whether LiveQuery events are triggered for matching objects.

Note: This is only exploitable if both protectedFields are configured in Class-Level Permissions and LiveQuery is enabled.

Upgrade parse-server to version 8.6.35, 9.6.0-alpha.9 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection via the query field name when using PostgreSQL. An attacker can execute arbitrary SQL commands by injecting malicious field names in query constraints.

Note: This is only exploitable if the deployment is configured to use PostgreSQL as the database and the attacker possesses the master key.

Upgrade parse-server to version 8.6.36, 9.6.0-alpha.10 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Missing Authorization via direct access to internal relationship tables through the REST API or GraphQL API using only the application key. An attacker can gain unauthorized permissions and access to protected resources by creating, reading, updating, or deleting records in any internal relationship table, which may result in bypassing access controls and escalating privileges.

Upgrade parse-server to version 8.6.20, 9.5.2-alpha.7 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials in the OAuth2 authentication process when the useridField option is not set. An attacker can gain unauthorized access to other user accounts by authenticating with any valid OAuth2 token from the same provider.

Note: This is only exploitable if the generic OAuth2 authentication adapter is enabled with oauth2: true and the useridField option is not configured.

Upgrade parse-server to version 8.6.22, 9.5.2-alpha.9 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through unbounded query complexity in the REST and GraphQL APIs. An attacker can exhaust server resources, such as CPU, memory, and database connections, by sending specially crafted queries that lack enforced complexity limits.

Upgrade parse-server to version 8.6.15, 9.5.2-alpha.2 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection in the Increment operation on PostgreSQL when handling nested object fields using dot notation. An attacker can execute arbitrary SQL commands or access sensitive database information by crafting a malicious sub-key name containing single quotes in write requests to the REST API.

Upgrade parse-server to version 8.6.31, 9.6.0-alpha.5 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization in LiveQuery. An attacker can gain unauthorized access to sensitive data by subscribing to real-time events for any class, regardless of permission restrictions.

Note: This is only exploitable if LiveQuery is enabled for classes with class-level permissions.

Upgrade parse-server to version 8.6.16, 9.5.2-alpha.3 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Control of Interaction Frequency in the batch endpoint, which processes sub-requests internally and bypasses the intended rate limiting controls. An attacker can send multiple sub-requests within a single batch to exceed the configured request limits by circumventing the middleware responsible for enforcing rate limits.

Note: This is only exploitable if the deployment relies solely on the built-in rate limiting feature without additional protections such as a reverse proxy or web application firewall.

Upgrade parse-server to version 8.6.23, 9.5.2-alpha.10 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the recovery code. An attacker can repeatedly gain unauthorized access to user accounts by reusing the same recovery code without it being invalidated.

Upgrade parse-server to version 8.6.33, 9.6.0-alpha.7 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the token field in the password reset and email verification endpoints. An attacker can extract sensitive tokens and potentially verify a user's email address without inbox access by injecting MongoDB query operators through crafted requests.

Note This is only exploitable if email verification or password reset is enabled and, for full email verification token extraction, if emailVerifyTokenReuseIfValid is configured.

Upgrade parse-server to version 8.6.14, 9.5.2-alpha.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization in the handling of protectedFields permissions when processing query WHERE clauses and sort parameters using dot-notation. An attacker can access or enumerate values of protected fields by crafting queries or sort operations that reference sub-fields via dot-notation.

Upgrade parse-server to version 8.6.32, 9.6.0-alpha.6 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure in the /verificationEmailRequest endpoint. An attacker can determine whether specific email addresses are registered, already verified, or non-existent by analyzing the distinct error responses returned for each case.

Upgrade parse-server to version 8.6.34, 9.6.0-alpha.8 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the file upload. An attacker can execute arbitrary scripts in the context of the application domain by uploading specially crafted files with certain extensions or content types that are not blocked by default. This can lead to theft of session tokens, redirection of users, or unauthorized actions performed on behalf of users when the uploaded file is accessed in a browser.

Upgrade parse-server to version 8.6.30, 9.6.0-alpha.4 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the authData.id parameter during the construction of LDAP Distinguished Names and group search filters. An attacker can escalate privileges and bypass group membership restrictions by injecting crafted input.

Note: This is only exploitable if the LDAP authentication adapter is enabled with group-based access control.

Upgrade parse-server to version 8.6.26, 9.5.2-alpha.13 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization in the query validation. An authenticated user can access sensitive field values by wrapping constraints on protected fields inside logical query operators, thereby bypassing intended access restrictions.

Upgrade parse-server to version 8.6.19, 9.5.2-alpha.6 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Missing Authorization via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes, which do not enforce master key authentication. An attacker can read, modify, and delete sensitive configuration and audience data by sending unauthorized requests to these endpoints.

Upgrade parse-server to version 8.6.25, 9.5.2-alpha.12 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation. An attacker can execute arbitrary SQL queries and read sensitive data from the database by injecting malicious input into the amount parameter of a write request to the REST API.

Upgrade parse-server to version 8.6.29, 9.6.0-alpha.3 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection in the handling of dot-notation field names with the sort, distinct, or where query parameters in PostgreSQL deployments. An attacker can execute arbitrary SQL commands by injecting malicious input through these query parameters.

Note: This is only exploitable if the deployment is configured to use a PostgreSQL database.

Upgrade parse-server to version 8.6.28, 9.6.0-alpha.2 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the file upload process. An attacker can execute arbitrary JavaScript in the context of the application origin by uploading a crafted SVG file containing malicious scripts, which are then served inline without protective headers. This can lead to theft of session tokens from localStorage and potential account takeover. This is only exploitable if file upload is enabled for authenticated users, which is the default configuration.

Upgrade parse-server to version 8.6.17, 9.5.2-alpha.4 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution via triggers.js when a prototype property name is used as the function name. An attacker can terminate the server process or bypass function dispatch validation by sending specially crafted requests that exploit prototype chain resolution. This can result in the server crashing due to infinite recursion or returning unauthorized HTTP 200 responses for undefined functions.

Upgrade parse-server to version 9.5.1-alpha.2, 8.6.13 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions via the Utils class. An attacker can bypass configured keyword restrictions by placing a nested object or array before a prohibited keyword in the request payload, causing the scan to terminate early and allowing prohibited keywords to be included undetected.

Upgrade parse-server to version 9.5.1-alpha.1, 8.6.12 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the handling of $regex in the LiveQuery component. An attacker can cause the server to become unresponsive by subscribing with a specially crafted $regex pattern that triggers catastrophic backtracking, blocking the Node.js event loop.

Note: This only affects LiveQuery subscription matching; Normal REST and GraphQL queries are not affected because their regex is evaluated by the database engine.

Upgrade parse-server to version 8.6.11, 9.5.0-alpha.14 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Missing Authorization in the GET /files/:appId/metadata/:filename endpoint due to the lack of enforcement of beforeFind and afterFind triggers. An attacker can gain unauthorized access to file metadata by sending requests to this endpoint, bypassing intended access control mechanisms.

##Workaround

This vulnerability can be mitigated by disabling the metadata endpoint by overriding the route with a middleware that rejects all requests.

Upgrade parse-server to version 8.6.9, 9.5.0-alpha.9 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the authentication process when the audience configuration option is not set. An attacker can gain unauthorized access by presenting a validly signed JWT issued for a different application.

Upgrade parse-server to version 8.6.10, 9.5.0-alpha.11 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Directory Traversal via the PagesRouter static file. An attacker can read arbitrary files outside the intended directory by sending crafted requests containing path traversal sequences.

Upgrade parse-server to version 8.6.8, 9.5.0-alpha.8 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure in the query execution layer. An attacker can obtain internal database error details, including error messages, codes, and topology information, by submitting a malformed $regex parameter in an API request.

Upgrade parse-server to version 8.6.7, 9.5.0-alpha.6 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization via the /loginAs endpoint when using the readOnlyMasterKey credential. An attacker can impersonate arbitrary users and gain full read and write access to their data by obtaining a valid session token through this endpoint.

Note: This is only exploitable if the readOnlyMasterKey is used in the deployment.

Upgrade parse-server to version 8.6.6, 9.5.0-alpha.4 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization via the Files API endpoints. An attacker can upload arbitrary files or delete existing files by using the readOnlyMasterKey to bypass intended write restrictions.

Upgrade parse-server to version 8.6.5, 9.5.0-alpha.3 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization in the handling of the readOnlyMasterKey option, which incorrectly permits mutating operations such as creating, modifying, and deleting Cloud Hooks, as well as starting Cloud Jobs.

Upgrade parse-server to version 8.6.4, 9.4.1-alpha.3 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm via the Google authentication. An attacker can gain unauthorized access to any user account linked with Google authentication by forging a JWT token with alg set to "none". This is only exploitable if Google authentication is enabled.

Upgrade parse-server to version 8.6.3, 9.3.1-alpha.4 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the apiURL parameter in authData used by the Instagram OAuth adapter. An attacker can make unauthorized requests to internal or external resources by supplying a malicious endpoint, potentially leading to authentication bypass if the endpoint returns crafted responses.

Upgrade parse-server to version 8.6.2, 9.1.1-alpha.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the rendering of user-supplied input in the HTML pages for password reset and email verification. An attacker can execute arbitrary scripts in the context of a user's browser by crafting malicious input that is reflected in these pages.

Upgrade parse-server to version 8.6.1, 9.1.0-alpha.3 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the Parse.Query.explain function which provides detailed information about query execution plans. An attacker can obtain sensitive database schema details and performance metrics by issuing public requests to this process without authentication.

Upgrade parse-server to version 8.5.0-alpha.5 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the file upload functionality. An attacker can cause the server to crash by supplying a crafted URI parameter that triggers a request to an arbitrary URI, resulting in a denial of service.

Upgrade parse-server to version 7.5.4, 8.4.0-alpha.2 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Authentication due to the improper handling of authentication credentials across multiple applications. An attacker can exploit this vulnerability to authenticate using credentials from one application in another unrelated application by leveraging shared authentication providers.

Upgrade parse-server to version 7.5.2, 8.0.2 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Authorization when the allowCustomObjectId is set to true, by setting a custom object ID for a new user that matches a specific role prefix.

Upgrade parse-server to version 6.5.9, 7.3.0 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection when Parse Server is configured to use the PostgreSQL database. An attacker can execute arbitrary SQL commands.

Upgrade parse-server to version 6.5.7, 7.1.0 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Input Validation for Cloud Function names and Cloud Job names. Exploiting this vulnerability allows an attacker to cause a denial of service or execute arbitrary code by sending a specially crafted request.

Upgrade parse-server to version 6.5.5, 7.0.0-alpha.29 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection via a malicious PostgreSQL statement containing multiple quoted strings. This vulnerability is only present when the PostgreSQL engine is in use.

Upgrade parse-server to version 6.5.0, 7.0.0-alpha.20 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the file upload function. An attacker can cause the server to crash by uploading a file without an extension.

Upgrade parse-server to version 5.5.6, 6.3.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Access Restriction Bypass via the beforeFind trigger in the Parse Cloud. An attacker can bypass security layers and modify incoming queries by exploiting certain conditions in Parse.Query. This is only exploitable if the beforeFind trigger is used as a security layer to modify the incoming query.

Upgrade parse-server to version 5.5.5, 6.2.2 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution in the MongoDB BSON parser, which allows attackers to execute code on the affected system.

Upgrade parse-server to version 5.5.2, 6.2.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Arbitrary File Upload such that a malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.

Note:

An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.

Upgrade parse-server to version 5.5.0, 6.2.0 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass due to insufficient checks in the mechanism used to determine the client's IP address.

Upgrade parse-server to version 5.4.1 or higher.

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution such that a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

Upgrade parse-server to version 4.10.20, 5.3.3 or higher.