parse-server 8.6.51 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Uncontrolled Recursion parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the `requestComplexity.queryDepth` configuration setting when processing WebSocket subscription requests. An attacker can cause excessive recursion and CPU consumption by sending a subscription with deeply nested logical operators, potentially degrading or disrupting service availability. Note: This is only exploitable if the LiveQuery WebSocket endpoint is accessible to untrusted clients. How to fix Uncontrolled Recursion? Upgrade `parse-server` to version 8.6.56, 9.6.0-alpha.45 or higher.	<8.6.56>=9.0.0 <9.6.0-alpha.45
M Information Exposure parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Information Exposure via the `watch` parameter in LiveQuery subscriptions targeting protected fields. An attacker can infer changes to protected fields by observing the presence or absence of update events, effectively revealing sensitive information about those fields without direct access. How to fix Information Exposure? Upgrade `parse-server` to version 8.6.54, 9.6.0-alpha.43 or higher.	<8.6.54>=9.0.0 <9.6.0-alpha.43
H Incorrect Authorization parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the LiveQuery WebSocket interface due to improper enforcement of pointer permissions. An attacker can gain unauthorized access to sensitive data by subscribing to real-time updates for objects in classes protected by pointer permissions, even if the pointer fields do not reference the subscribing user. How to fix Incorrect Authorization? Upgrade `parse-server` to version 8.6.53, 9.6.0-alpha.42 or higher.	<8.6.53>=9.0.0 <9.6.0-alpha.42
H Uncontrolled Recursion parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Uncontrolled Recursion via the pre-validation transform pipeline. An attacker can cause the server process to become permanently unresponsive by sending an unauthenticated HTTP request with a deeply nested query containing logical operators. How to fix Uncontrolled Recursion? Upgrade `parse-server` to version 8.6.55, 9.6.0-alpha.44 or higher.	<8.6.55>=9.0.0-alpha.1 <9.6.0-alpha.44
H Missing Authentication for Critical Function parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the improper validation of third-party auth provider's credentials. An attacker can gain unauthorized access to user accounts by providing only the user's provider ID, bypassing credential verification. This is only exploitable if the server option `allowExpiredAuthDataToken` is set to `true`. How to fix Missing Authentication for Critical Function? Upgrade `parse-server` to version 8.6.52, 9.6.0-alpha.41 or higher.	<8.6.52>=9.0.0-alpha.1 <9.6.0-alpha.41

Vulnerability

Vulnerable Version

Uncontrolled Recursion

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Uncontrolled Recursion via the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can cause excessive recursion and CPU consumption by sending a subscription with deeply nested logical operators, potentially degrading or disrupting service availability.

Note: This is only exploitable if the LiveQuery WebSocket endpoint is accessible to untrusted clients.

How to fix Uncontrolled Recursion?

Upgrade parse-server to version 8.6.56, 9.6.0-alpha.45 or higher.

<8.6.56>=9.0.0 <9.6.0-alpha.45

Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure via the watch parameter in LiveQuery subscriptions targeting protected fields. An attacker can infer changes to protected fields by observing the presence or absence of update events, effectively revealing sensitive information about those fields without direct access.

How to fix Information Exposure?

Upgrade parse-server to version 8.6.54, 9.6.0-alpha.43 or higher.

<8.6.54>=9.0.0 <9.6.0-alpha.43

Incorrect Authorization

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Incorrect Authorization in the LiveQuery WebSocket interface due to improper enforcement of pointer permissions. An attacker can gain unauthorized access to sensitive data by subscribing to real-time updates for objects in classes protected by pointer permissions, even if the pointer fields do not reference the subscribing user.

How to fix Incorrect Authorization?

Upgrade parse-server to version 8.6.53, 9.6.0-alpha.42 or higher.

<8.6.53>=9.0.0 <9.6.0-alpha.42

Uncontrolled Recursion

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Uncontrolled Recursion via the pre-validation transform pipeline. An attacker can cause the server process to become permanently unresponsive by sending an unauthenticated HTTP request with a deeply nested query containing logical operators.

How to fix Uncontrolled Recursion?

Upgrade parse-server to version 8.6.55, 9.6.0-alpha.44 or higher.

<8.6.55>=9.0.0-alpha.1 <9.6.0-alpha.44

Missing Authentication for Critical Function

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to the improper validation of third-party auth provider's credentials. An attacker can gain unauthorized access to user accounts by providing only the user's provider ID, bypassing credential verification. This is only exploitable if the server option allowExpiredAuthDataToken is set to true.

How to fix Missing Authentication for Critical Function?

Upgrade parse-server to version 8.6.52, 9.6.0-alpha.41 or higher.

<8.6.52>=9.0.0-alpha.1 <9.6.0-alpha.41

parse-server@8.6.51 vulnerabilities

An express module providing a Parse-compatible API server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically