parse-server@8.6.45 vulnerabilities
An express module providing a Parse-compatible API server
latest version
9.6.1
latest non vulnerable version
first published
13 years ago
latest version published
11 hours ago
licenses detected
- >=6.0.0-alpha.31
Direct Vulnerabilities
Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.
Fix vulnerabilities automatically
Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.
Fix for free| Vulnerability | Vulnerable Version |
|---|---|
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the pre-validation transform pipeline. An attacker can cause the server process to become permanently unresponsive by sending an unauthenticated HTTP request with a deeply nested query containing logical operators. How to fix Uncontrolled Recursion? Upgrade | <8.6.55>=9.0.0-alpha.1 <9.6.0-alpha.44 |
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the improper validation of third-party auth provider's credentials. An attacker can gain unauthorized access to user accounts by providing only the user's provider ID, bypassing credential verification. This is only exploitable if the server option How to fix Missing Authentication for Critical Function? Upgrade | <8.6.52>=9.0.0-alpha.1 <9.6.0-alpha.41 |
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure through the Pages and legacy PublicAPI routes that do not respect How to fix Information Exposure? Upgrade | <8.6.51>=9.0.0-alpha.1 <9.6.0-alpha.40 |
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the How to fix Information Exposure? Upgrade | <8.6.50>=9.0.0 <9.6.0-alpha.35 |
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improperly Controlled Sequential Memory Allocation in the Cloud function endpoint. An attacker can cause the server process to crash by invoking a cloud function endpoint with a specially crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, resulting in a stack overflow. How to fix Improperly Controlled Sequential Memory Allocation? Upgrade | <8.6.47>=9.0.0-alpha.1 <9.6.0-alpha.24 |
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Weak Authentication in the user sign up. An attacker can create authenticated sessions without providing valid credentials by submitting an empty How to fix Weak Authentication? Upgrade | <8.6.49>=9.0.0-alpha.1 <9.6.0-alpha.29 |
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition in the password reset mechanism. An attacker can gain unauthorized access to a user's account by intercepting a password reset token and submitting concurrent requests, potentially causing the attacker's password to be set instead of the legitimate user's. How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade | <8.6.48>=9.0.0-alpha.1 <9.6.0-alpha.28 |