Direct Vulnerabilities

Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Uncontrolled Recursion parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can cause excessive recursion and CPU consumption by sending a subscription with deeply nested logical operators, potentially degrading or disrupting service availability. Note: This is only exploitable if the LiveQuery WebSocket endpoint is accessible to untrusted clients. How to fix Uncontrolled Recursion? Upgrade `parse-server` to version 8.6.56, 9.6.0-alpha.45 or higher.	<8.6.56>=9.0.0 <9.6.0-alpha.45
M Information Exposure parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the `watch` parameter in LiveQuery subscriptions targeting protected fields. An attacker can infer changes to protected fields by observing the presence or absence of update events, effectively revealing sensitive information about those fields without direct access. How to fix Information Exposure? Upgrade `parse-server` to version 8.6.54, 9.6.0-alpha.43 or higher.	<8.6.54>=9.0.0 <9.6.0-alpha.43
H Incorrect Authorization parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the LiveQuery WebSocket interface due to improper enforcement of pointer permissions. An attacker can gain unauthorized access to sensitive data by subscribing to real-time updates for objects in classes protected by pointer permissions, even if the pointer fields do not reference the subscribing user. How to fix Incorrect Authorization? Upgrade `parse-server` to version 8.6.53, 9.6.0-alpha.42 or higher.	<8.6.53>=9.0.0 <9.6.0-alpha.42
H Uncontrolled Recursion parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the pre-validation transform pipeline. An attacker can cause the server process to become permanently unresponsive by sending an unauthenticated HTTP request with a deeply nested query containing logical operators. How to fix Uncontrolled Recursion? Upgrade `parse-server` to version 8.6.55, 9.6.0-alpha.44 or higher.	<8.6.55>=9.0.0-alpha.1 <9.6.0-alpha.44
H Missing Authentication for Critical Function parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the improper validation of third-party auth provider's credentials. An attacker can gain unauthorized access to user accounts by providing only the user's provider ID, bypassing credential verification. This is only exploitable if the server option `allowExpiredAuthDataToken` is set to `true`. How to fix Missing Authentication for Critical Function? Upgrade `parse-server` to version 8.6.52, 9.6.0-alpha.41 or higher.	<8.6.52>=9.0.0-alpha.1 <9.6.0-alpha.41
M Information Exposure parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure through the Pages and legacy PublicAPI routes that do not respect `emailVerifySuccessOnInvalidEmail` configuration option. An attacker can determine the existence of valid usernames by submitting requests and observing different redirect targets based on whether the provided username exists and has an unverified email. How to fix Information Exposure? Upgrade `parse-server` to version 8.6.51, 9.6.0-alpha.40 or higher.	<8.6.51>=9.0.0-alpha.1 <9.6.0-alpha.40
H Information Exposure parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the `afterLiveQueryEvent` trigger. An attacker can access sensitive protected fields and authentication data of other users by subscribing to LiveQuery events for a class with this trigger registered. How to fix Information Exposure? Upgrade `parse-server` to version 8.6.50, 9.6.0-alpha.35 or higher.	<8.6.50>=9.0.0 <9.6.0-alpha.35
H Improperly Controlled Sequential Memory Allocation parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improperly Controlled Sequential Memory Allocation in the Cloud function endpoint. An attacker can cause the server process to crash by invoking a cloud function endpoint with a specially crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, resulting in a stack overflow. How to fix Improperly Controlled Sequential Memory Allocation? Upgrade `parse-server` to version 8.6.47, 9.6.0-alpha.24 or higher.	<8.6.47>=9.0.0-alpha.1 <9.6.0-alpha.24
M Weak Authentication parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Weak Authentication in the user sign up. An attacker can create authenticated sessions without providing valid credentials by submitting an empty `authData` object during signup, even when anonymous users are disabled. How to fix Weak Authentication? Upgrade `parse-server` to version 8.6.49, 9.6.0-alpha.29 or higher.	<8.6.49>=9.0.0-alpha.1 <9.6.0-alpha.29
L Time-of-check Time-of-use (TOCTOU) Race Condition parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the password reset mechanism. An attacker can gain unauthorized access to a user's account by intercepting a password reset token and submitting concurrent requests, potentially causing the attacker's password to be set instead of the legitimate user's. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `parse-server` to version 8.6.48, 9.6.0-alpha.28 or higher.	<8.6.48>=9.0.0-alpha.1 <9.6.0-alpha.28
M Prototype Pollution parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Prototype Pollution in the deep copy mechanism. An attacker can inject unauthorized fields into class schemas and bypass security restrictions by exploiting prototype pollution in the deep copy process. How to fix Prototype Pollution? Upgrade `parse-server` to version 8.6.44, 9.6.0-alpha.20 or higher.	<8.6.44>=9.0.0-alpha.1 <9.6.0-alpha.20
H Improper Validation of Syntactic Correctness of Input parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the LiveQuery subscription when an invalid regular expression pattern is provided. An attacker can cause the server process to terminate, resulting in denial of service for all connected clients by submitting a subscription request containing a malformed regular expression. How to fix Improper Validation of Syntactic Correctness of Input? Upgrade `parse-server` to version 8.6.43, 9.6.0-alpha.19 or higher.	<8.6.43>=9.0.0-alpha.1 <9.6.0-alpha.19
M Improperly Controlled Modification of Dynamically-Determined Object Attributes parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the `POST /classes/_Session` endpoint. An attacker can manipulate server-generated session fields such as `sessionToken`, `expiresAt`, and `createdWith` by supplying crafted values, potentially bypassing session expiration policies and setting predictable session tokens. How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes? Upgrade `parse-server` to version 8.6.42, 9.6.0-alpha.17 or higher.	<8.6.42>=9.0.0-alpha.1 <9.6.0-alpha.17
H Uncontrolled Recursion parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion while processing of deeply nested query condition operators. An attacker can cause the server process to crash and deny service to all connected clients by sending a single crafted request. How to fix Uncontrolled Recursion? Upgrade `parse-server` to version 8.6.45, 9.6.0-alpha.21 or higher.	<8.6.45>=9.0.0-alpha.1 <9.6.0-alpha.21
H Cross-site Scripting (XSS) parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the file upload process. An attacker can execute arbitrary scripts in the user's browser by uploading files with specially crafted `Content-Type` headers or with XML-based file extensions that bypass the blocklist. This can result in the compromise of session tokens, user credentials, or other sensitive data accessible via the browser's local storage. Workaround This vulnerability can be mitigated by configuring the `fileUpload.fileExtensions` option to use an allowlist of only the file extensions required by the application. How to fix Cross-site Scripting (XSS)? Upgrade `parse-server` to version 8.6.41, 9.6.0-alpha.15 or higher.	<8.6.41>=9.0.0-alpha.1 <9.6.0-alpha.15
M Missing Authentication for Critical Function parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the `createSubscriptions` process. An attacker can execute unauthorized GraphQL operations, access schema introspection, and bypass query complexity limits by connecting to the WebSocket endpoint without valid credentials. How to fix Missing Authentication for Critical Function? Upgrade `parse-server` to version 8.6.40, 9.6.0-alpha.14 or higher.	<8.6.40>=9.0.0-alpha.1 <9.6.0-alpha.14
M Function Call With Incorrect Order of Arguments parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Function Call With Incorrect Order of Arguments in the OAuth2 authentication adapter when both `appidField` and `appIds` are configured. An attacker can bypass authentication restrictions or cause authentication failures by exploiting the improper validation of app IDs, which results in a malformed value being sent to the token introspection endpoint instead of the user's actual access token. How to fix Function Call With Incorrect Order of Arguments? Upgrade `parse-server` to version 8.6.39, 9.6.0-alpha.13 or higher.	>=8.0.2 <8.6.39>=9.0.0-alpha.1 <9.6.0-alpha.13
C Improper Neutralization of Special Elements in Data Query Logic parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the `findUsersWithAuthData()` function of authentication data identifier. An attacker can gain unauthorized access to any user account by sending a specially crafted login request that manipulates the user identifier, causing the server to perform a pattern-matching query instead of an exact-match lookup and returning a valid session token for the targeted account. How to fix Improper Neutralization of Special Elements in Data Query Logic? Upgrade `parse-server` to version 8.6.38, 9.6.0-alpha.12 or higher.	<8.6.38>=9.0.0-alpha.1 <9.6.0-alpha.12
C Race Condition parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition in the OAuth2 auth adapter. An attacker can gain unauthorized access by exploiting a race condition that causes token validation to occur against the wrong provider's configuration during concurrent authentication requests. This is only exploitable if multiple OAuth2 providers are configured via the `oauth2: true` flag. How to fix Race Condition? Upgrade `parse-server` to version 8.6.37, 9.6.0-alpha.11 or higher.	<8.6.37>=9.0.0-alpha.1 <9.6.0-alpha.11
M Information Exposure parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure in the LiveQuery subscription process. An attacker can infer the values of protected fields by crafting a subscription with a WHERE clause that references protected fields, including using dot-notation or `$regex`, and observing whether LiveQuery events are triggered for matching objects. Note: This is only exploitable if both protectedFields are configured in Class-Level Permissions and LiveQuery is enabled. How to fix Information Exposure? Upgrade `parse-server` to version 8.6.35, 9.6.0-alpha.9 or higher.	<8.6.35>=9.0.0-alpha.1 <9.6.0-alpha.9
H SQL Injection parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection via the `query` field name when using PostgreSQL. An attacker can execute arbitrary SQL commands by injecting malicious field names in query constraints. Note: This is only exploitable if the deployment is configured to use PostgreSQL as the database and the attacker possesses the master key. How to fix SQL Injection? Upgrade `parse-server` to version 8.6.36, 9.6.0-alpha.10 or higher.	<8.6.36>=9.0.0-alpha.1 <9.6.0-alpha.10
C SQL Injection parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the `Increment` operation on PostgreSQL when handling nested object fields using dot notation. An attacker can execute arbitrary SQL commands or access sensitive database information by crafting a malicious sub-key name containing single quotes in write requests to the REST API. How to fix SQL Injection? Upgrade `parse-server` to version 8.6.31, 9.6.0-alpha.5 or higher.	<8.6.31>=9.0.0-alpha.1 <9.6.0-alpha.5
C Operation on a Resource after Expiration or Release parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the recovery code. An attacker can repeatedly gain unauthorized access to user accounts by reusing the same recovery code without it being invalidated. How to fix Operation on a Resource after Expiration or Release? Upgrade `parse-server` to version 8.6.33, 9.6.0-alpha.7 or higher.	<8.6.33>=9.0.0-alpha.1 <9.6.0-alpha.7
H Incorrect Authorization parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the handling of `protectedFields` permissions when processing query WHERE clauses and sort parameters using dot-notation. An attacker can access or enumerate values of protected fields by crafting queries or sort operations that reference sub-fields via dot-notation. How to fix Incorrect Authorization? Upgrade `parse-server` to version 8.6.32, 9.6.0-alpha.6 or higher.	<8.6.32>=9.0.0-alpha.1 <9.6.0-alpha.6
M Information Exposure parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure in the `/verificationEmailRequest` endpoint. An attacker can determine whether specific email addresses are registered, already verified, or non-existent by analyzing the distinct error responses returned for each case. How to fix Information Exposure? Upgrade `parse-server` to version 8.6.34, 9.6.0-alpha.8 or higher.	<8.6.34>=9.0.0-alpha.1 <9.6.0-alpha.8
M Cross-site Scripting (XSS) parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the file upload. An attacker can execute arbitrary scripts in the context of the application domain by uploading specially crafted files with certain extensions or content types that are not blocked by default. This can lead to theft of session tokens, redirection of users, or unauthorized actions performed on behalf of users when the uploaded file is accessed in a browser. How to fix Cross-site Scripting (XSS)? Upgrade `parse-server` to version 8.6.30, 9.6.0-alpha.4 or higher.	<8.6.30>=9.0.0-alpha.1 <9.6.0-alpha.4
M LDAP Injection parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the `authData.id` parameter during the construction of LDAP Distinguished Names and group search filters. An attacker can escalate privileges and bypass group membership restrictions by injecting crafted input. Note: This is only exploitable if the LDAP authentication adapter is enabled with group-based access control. How to fix LDAP Injection? Upgrade `parse-server` to version 8.6.26, 9.5.2-alpha.13 or higher.	<8.6.26>=9.0.0-alpha.1 <9.5.2-alpha.13
H Missing Authorization parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authorization via the generic `/classes/_GraphQLConfig` and `/classes/_Audience` REST API routes, which do not enforce master key authentication. An attacker can read, modify, and delete sensitive configuration and audience data by sending unauthorized requests to these endpoints. How to fix Missing Authorization? Upgrade `parse-server` to version 8.6.25, 9.5.2-alpha.12 or higher.	<8.6.25>=9.0.0-alpha.1 <9.5.2-alpha.12
C SQL Injection parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the PostgreSQL storage adapter when processing `Increment` operations on nested object fields using dot notation. An attacker can execute arbitrary SQL queries and read sensitive data from the database by injecting malicious input into the `amount` parameter of a write request to the REST API. How to fix SQL Injection? Upgrade `parse-server` to version 8.6.29, 9.6.0-alpha.3 or higher.	<8.6.29>=9.0.0-alpha.1 <9.6.0-alpha.3
C SQL Injection parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to SQL Injection in the handling of dot-notation field names with the `sort`, `distinct`, or `where` query parameters in PostgreSQL deployments. An attacker can execute arbitrary SQL commands by injecting malicious input through these query parameters. Note: This is only exploitable if the deployment is configured to use a PostgreSQL database. How to fix SQL Injection? Upgrade `parse-server` to version 8.6.28, 9.6.0-alpha.2 or higher.	<8.6.28>=9.0.0-alpha.1 <9.6.0-alpha.2

Vulnerability

Vulnerable Version

Uncontrolled Recursion

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Uncontrolled Recursion via the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can cause excessive recursion and CPU consumption by sending a subscription with deeply nested logical operators, potentially degrading or disrupting service availability.

Note: This is only exploitable if the LiveQuery WebSocket endpoint is accessible to untrusted clients.

How to fix Uncontrolled Recursion?

Upgrade parse-server to version 8.6.56, 9.6.0-alpha.45 or higher.

<8.6.56>=9.0.0 <9.6.0-alpha.45

Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure via the watch parameter in LiveQuery subscriptions targeting protected fields. An attacker can infer changes to protected fields by observing the presence or absence of update events, effectively revealing sensitive information about those fields without direct access.

How to fix Information Exposure?

Upgrade parse-server to version 8.6.54, 9.6.0-alpha.43 or higher.

<8.6.54>=9.0.0 <9.6.0-alpha.43

Incorrect Authorization

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization in the LiveQuery WebSocket interface due to improper enforcement of pointer permissions. An attacker can gain unauthorized access to sensitive data by subscribing to real-time updates for objects in classes protected by pointer permissions, even if the pointer fields do not reference the subscribing user.

How to fix Incorrect Authorization?

Upgrade parse-server to version 8.6.53, 9.6.0-alpha.42 or higher.

<8.6.53>=9.0.0 <9.6.0-alpha.42

Uncontrolled Recursion

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Uncontrolled Recursion via the pre-validation transform pipeline. An attacker can cause the server process to become permanently unresponsive by sending an unauthenticated HTTP request with a deeply nested query containing logical operators.

How to fix Uncontrolled Recursion?

Upgrade parse-server to version 8.6.55, 9.6.0-alpha.44 or higher.

<8.6.55>=9.0.0-alpha.1 <9.6.0-alpha.44

Missing Authentication for Critical Function

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the improper validation of third-party auth provider's credentials. An attacker can gain unauthorized access to user accounts by providing only the user's provider ID, bypassing credential verification. This is only exploitable if the server option allowExpiredAuthDataToken is set to true.

How to fix Missing Authentication for Critical Function?

Upgrade parse-server to version 8.6.52, 9.6.0-alpha.41 or higher.

<8.6.52>=9.0.0-alpha.1 <9.6.0-alpha.41

Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure through the Pages and legacy PublicAPI routes that do not respect emailVerifySuccessOnInvalidEmail configuration option. An attacker can determine the existence of valid usernames by submitting requests and observing different redirect targets based on whether the provided username exists and has an unverified email.

How to fix Information Exposure?

Upgrade parse-server to version 8.6.51, 9.6.0-alpha.40 or higher.

<8.6.51>=9.0.0-alpha.1 <9.6.0-alpha.40

Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure via the afterLiveQueryEvent trigger. An attacker can access sensitive protected fields and authentication data of other users by subscribing to LiveQuery events for a class with this trigger registered.

How to fix Information Exposure?

Upgrade parse-server to version 8.6.50, 9.6.0-alpha.35 or higher.

<8.6.50>=9.0.0 <9.6.0-alpha.35

Improperly Controlled Sequential Memory Allocation

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improperly Controlled Sequential Memory Allocation in the Cloud function endpoint. An attacker can cause the server process to crash by invoking a cloud function endpoint with a specially crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, resulting in a stack overflow.

How to fix Improperly Controlled Sequential Memory Allocation?

Upgrade parse-server to version 8.6.47, 9.6.0-alpha.24 or higher.

<8.6.47>=9.0.0-alpha.1 <9.6.0-alpha.24

Weak Authentication

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Weak Authentication in the user sign up. An attacker can create authenticated sessions without providing valid credentials by submitting an empty authData object during signup, even when anonymous users are disabled.

How to fix Weak Authentication?

Upgrade parse-server to version 8.6.49, 9.6.0-alpha.29 or higher.

<8.6.49>=9.0.0-alpha.1 <9.6.0-alpha.29

Time-of-check Time-of-use (TOCTOU) Race Condition

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the password reset mechanism. An attacker can gain unauthorized access to a user's account by intercepting a password reset token and submitting concurrent requests, potentially causing the attacker's password to be set instead of the legitimate user's.

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade parse-server to version 8.6.48, 9.6.0-alpha.28 or higher.

<8.6.48>=9.0.0-alpha.1 <9.6.0-alpha.28

Prototype Pollution

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution in the deep copy mechanism. An attacker can inject unauthorized fields into class schemas and bypass security restrictions by exploiting prototype pollution in the deep copy process.

How to fix Prototype Pollution?

Upgrade parse-server to version 8.6.44, 9.6.0-alpha.20 or higher.

<8.6.44>=9.0.0-alpha.1 <9.6.0-alpha.20

Improper Validation of Syntactic Correctness of Input

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the LiveQuery subscription when an invalid regular expression pattern is provided. An attacker can cause the server process to terminate, resulting in denial of service for all connected clients by submitting a subscription request containing a malformed regular expression.

How to fix Improper Validation of Syntactic Correctness of Input?

Upgrade parse-server to version 8.6.43, 9.6.0-alpha.19 or higher.

<8.6.43>=9.0.0-alpha.1 <9.6.0-alpha.19

Improperly Controlled Modification of Dynamically-Determined Object Attributes

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the POST /classes/_Session endpoint. An attacker can manipulate server-generated session fields such as sessionToken, expiresAt, and createdWith by supplying crafted values, potentially bypassing session expiration policies and setting predictable session tokens.

How to fix Improperly Controlled Modification of Dynamically-Determined Object Attributes?

Upgrade parse-server to version 8.6.42, 9.6.0-alpha.17 or higher.

<8.6.42>=9.0.0-alpha.1 <9.6.0-alpha.17

Uncontrolled Recursion

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Uncontrolled Recursion while processing of deeply nested query condition operators. An attacker can cause the server process to crash and deny service to all connected clients by sending a single crafted request.

How to fix Uncontrolled Recursion?

Upgrade parse-server to version 8.6.45, 9.6.0-alpha.21 or higher.

<8.6.45>=9.0.0-alpha.1 <9.6.0-alpha.21

Cross-site Scripting (XSS)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the file upload process. An attacker can execute arbitrary scripts in the user's browser by uploading files with specially crafted Content-Type headers or with XML-based file extensions that bypass the blocklist. This can result in the compromise of session tokens, user credentials, or other sensitive data accessible via the browser's local storage.

Workaround

This vulnerability can be mitigated by configuring the fileUpload.fileExtensions option to use an allowlist of only the file extensions required by the application.

How to fix Cross-site Scripting (XSS)?

Upgrade parse-server to version 8.6.41, 9.6.0-alpha.15 or higher.

<8.6.41>=9.0.0-alpha.1 <9.6.0-alpha.15

Missing Authentication for Critical Function

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the createSubscriptions process. An attacker can execute unauthorized GraphQL operations, access schema introspection, and bypass query complexity limits by connecting to the WebSocket endpoint without valid credentials.

How to fix Missing Authentication for Critical Function?

Upgrade parse-server to version 8.6.40, 9.6.0-alpha.14 or higher.

<8.6.40>=9.0.0-alpha.1 <9.6.0-alpha.14

Function Call With Incorrect Order of Arguments

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Function Call With Incorrect Order of Arguments in the OAuth2 authentication adapter when both appidField and appIds are configured. An attacker can bypass authentication restrictions or cause authentication failures by exploiting the improper validation of app IDs, which results in a malformed value being sent to the token introspection endpoint instead of the user's actual access token.

How to fix Function Call With Incorrect Order of Arguments?

Upgrade parse-server to version 8.6.39, 9.6.0-alpha.13 or higher.

>=8.0.2 <8.6.39>=9.0.0-alpha.1 <9.6.0-alpha.13

Improper Neutralization of Special Elements in Data Query Logic

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic in the findUsersWithAuthData() function of authentication data identifier. An attacker can gain unauthorized access to any user account by sending a specially crafted login request that manipulates the user identifier, causing the server to perform a pattern-matching query instead of an exact-match lookup and returning a valid session token for the targeted account.

How to fix Improper Neutralization of Special Elements in Data Query Logic?

Upgrade parse-server to version 8.6.38, 9.6.0-alpha.12 or higher.

<8.6.38>=9.0.0-alpha.1 <9.6.0-alpha.12

Race Condition

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Race Condition in the OAuth2 auth adapter. An attacker can gain unauthorized access by exploiting a race condition that causes token validation to occur against the wrong provider's configuration during concurrent authentication requests. This is only exploitable if multiple OAuth2 providers are configured via the oauth2: true flag.

How to fix Race Condition?

Upgrade parse-server to version 8.6.37, 9.6.0-alpha.11 or higher.

<8.6.37>=9.0.0-alpha.1 <9.6.0-alpha.11

Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure in the LiveQuery subscription process. An attacker can infer the values of protected fields by crafting a subscription with a WHERE clause that references protected fields, including using dot-notation or $regex, and observing whether LiveQuery events are triggered for matching objects.

Note: This is only exploitable if both protectedFields are configured in Class-Level Permissions and LiveQuery is enabled.

How to fix Information Exposure?

Upgrade parse-server to version 8.6.35, 9.6.0-alpha.9 or higher.

<8.6.35>=9.0.0-alpha.1 <9.6.0-alpha.9

SQL Injection

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection via the query field name when using PostgreSQL. An attacker can execute arbitrary SQL commands by injecting malicious field names in query constraints.

Note: This is only exploitable if the deployment is configured to use PostgreSQL as the database and the attacker possesses the master key.

How to fix SQL Injection?

Upgrade parse-server to version 8.6.36, 9.6.0-alpha.10 or higher.

<8.6.36>=9.0.0-alpha.1 <9.6.0-alpha.10

SQL Injection

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection in the Increment operation on PostgreSQL when handling nested object fields using dot notation. An attacker can execute arbitrary SQL commands or access sensitive database information by crafting a malicious sub-key name containing single quotes in write requests to the REST API.

How to fix SQL Injection?

Upgrade parse-server to version 8.6.31, 9.6.0-alpha.5 or higher.

<8.6.31>=9.0.0-alpha.1 <9.6.0-alpha.5

Operation on a Resource after Expiration or Release

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the recovery code. An attacker can repeatedly gain unauthorized access to user accounts by reusing the same recovery code without it being invalidated.

How to fix Operation on a Resource after Expiration or Release?

Upgrade parse-server to version 8.6.33, 9.6.0-alpha.7 or higher.

<8.6.33>=9.0.0-alpha.1 <9.6.0-alpha.7

Incorrect Authorization

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization in the handling of protectedFields permissions when processing query WHERE clauses and sort parameters using dot-notation. An attacker can access or enumerate values of protected fields by crafting queries or sort operations that reference sub-fields via dot-notation.

How to fix Incorrect Authorization?

Upgrade parse-server to version 8.6.32, 9.6.0-alpha.6 or higher.

<8.6.32>=9.0.0-alpha.1 <9.6.0-alpha.6

Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure in the /verificationEmailRequest endpoint. An attacker can determine whether specific email addresses are registered, already verified, or non-existent by analyzing the distinct error responses returned for each case.

How to fix Information Exposure?

Upgrade parse-server to version 8.6.34, 9.6.0-alpha.8 or higher.

<8.6.34>=9.0.0-alpha.1 <9.6.0-alpha.8

Cross-site Scripting (XSS)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the file upload. An attacker can execute arbitrary scripts in the context of the application domain by uploading specially crafted files with certain extensions or content types that are not blocked by default. This can lead to theft of session tokens, redirection of users, or unauthorized actions performed on behalf of users when the uploaded file is accessed in a browser.

How to fix Cross-site Scripting (XSS)?

Upgrade parse-server to version 8.6.30, 9.6.0-alpha.4 or higher.

<8.6.30>=9.0.0-alpha.1 <9.6.0-alpha.4

LDAP Injection

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the authData.id parameter during the construction of LDAP Distinguished Names and group search filters. An attacker can escalate privileges and bypass group membership restrictions by injecting crafted input.

Note: This is only exploitable if the LDAP authentication adapter is enabled with group-based access control.

How to fix LDAP Injection?

Upgrade parse-server to version 8.6.26, 9.5.2-alpha.13 or higher.

<8.6.26>=9.0.0-alpha.1 <9.5.2-alpha.13

Missing Authorization

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Missing Authorization via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes, which do not enforce master key authentication. An attacker can read, modify, and delete sensitive configuration and audience data by sending unauthorized requests to these endpoints.

How to fix Missing Authorization?

Upgrade parse-server to version 8.6.25, 9.5.2-alpha.12 or higher.

<8.6.25>=9.0.0-alpha.1 <9.5.2-alpha.12

SQL Injection

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation. An attacker can execute arbitrary SQL queries and read sensitive data from the database by injecting malicious input into the amount parameter of a write request to the REST API.

How to fix SQL Injection?

Upgrade parse-server to version 8.6.29, 9.6.0-alpha.3 or higher.

<8.6.29>=9.0.0-alpha.1 <9.6.0-alpha.3

SQL Injection

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection in the handling of dot-notation field names with the sort, distinct, or where query parameters in PostgreSQL deployments. An attacker can execute arbitrary SQL commands by injecting malicious input through these query parameters.

Note: This is only exploitable if the deployment is configured to use a PostgreSQL database.

How to fix SQL Injection?

Upgrade parse-server to version 8.6.28, 9.6.0-alpha.2 or higher.

<8.6.28>=9.0.0-alpha.1 <9.6.0-alpha.2

parse-server@8.6.23 vulnerabilities

An express module providing a Parse-compatible API server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

Workaround