Authorization Bypass Through User-Controlled Keyparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the reduceRelationKeys and authorizeRelatedToQuery paths in DatabaseController. An attacker can read related objects or probe relation membership by sending a $relatedTo query against a relation on an owning object they are not allowed to read, or against a relation field marked as protected. The vulnerable query path reads the relation join table before checking the owning object’s ACL, CLP, or protectedFields, so a caller can use $relatedTo to retrieve linked object IDs or infer whether a specific object is attached to a hidden relation. This exposes related records that should remain inaccessible and turns relation queries into a membership oracle for private parent objects.
How to fix Authorization Bypass Through User-Controlled Key? Upgrade parse-server to version 8.6.80, 9.9.1-alpha.6 or higher.
| <8.6.80>=9.0.0-alpha.1 <9.9.1-alpha.6 |
Cross-site Scripting (XSS)parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) through the FilesController.createFile and FilesRouter file-extension handling in the file upload components. An attacker can upload an SVG or other scriptable file by supplying a filename with a trailing dot, such as poc.svg., and a dangerous Content-Type or _ContentType value that bypasses the extension blocklist. The uploaded object is then stored under a filename that is treated as extensionless or misparsed, allowing the attacker to persist active content that executes when a user later opens or serves the file.
Notes
- The bypass only matters for deployments that rely on the default file-extension blocklist to police uploads; storage adapters or CDNs which serve the stored
Content-Type unchanged can turn that bypass into active content delivery, while the default GridFS adapter is not affected because it sends X-Content-Type-Options: nosniff.
- The vulnerable path is not limited to the URL filename form alone: uploads that supply
_ContentType in the JSON-body fileViaJSON flow are also subject to the same trailing-dot parsing issue, so API clients using that upload mode are in scope too.
Workarounds
- Configure the storage adapter or CDN to derive
Content-Type from the filename extension instead of trusting the stored Content-Type; this prevents uploaded files with a trailing-dot name from being served with an active MIME type such as image/svg+xml.
- Replace the default file-extension blocklist with an explicit allowlist of only the file extensions you need; this prevents attackers from bypassing the blocklist by using a trailing-dot filename like
poc.svg..
How to fix Cross-site Scripting (XSS)? Upgrade parse-server to version 8.6.79, 9.9.1-alpha.4 or higher.
| <8.6.79>=9.0.0-alpha.1 <9.9.1-alpha.4 |
Information Exposureparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Information Exposure via the Did you mean ...? suggestions in GraphQL validation-error messages. An attacker can enumerate schema metadata, such as class names, field names, argument names, mutation names, and input-object fields, by sending malformed queries to the GraphQL endpoint.
Note:
This is only exploitable if the GraphQL API is enabled and the attacker is unauthenticated while graphQLPublicIntrospection is set to false.
This vulnerability bypasses the IntrospectionControlPlugin enforced when graphQLPublicIntrospection: false (the default) and defeats the schema-hiding goal of prior advisories CVE-2026-30854 and CVE-2025-53364.
How to fix Information Exposure? Upgrade parse-server to version 8.6.78, 9.9.1-alpha.2 or higher.
| <8.6.78>=9.0.0-alpha.1 <9.9.1-alpha.2 |
Regular Expression Denial of Service (ReDoS)parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the clientSDK parameter in the request-header parser. An attacker can exhaust CPU resources on a worker node by submitting an excessively long value for x-parse-client-version, causing eponential regex backtracking.
How to fix Regular Expression Denial of Service (ReDoS)? Upgrade parse-server to version 8.6.77, 9.9.1-alpha.1 or higher.
| <8.6.77>=9.0.0 <9.9.1-alpha.1 |
Race Conditionparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Race Condition due to a race condition in the login process. An attacker can obtain multiple valid session tokens by submitting concurrent requests with the same intercepted one-time password. This is only exploitable if the attacker already possesses the victim's password and can intercept the active SMS OTP, and is able to race the legitimate login request.
How to fix Race Condition? Upgrade parse-server to version 8.6.76, 9.9.0-alpha.2 or higher.
| <8.6.76>=9.0.0-alpha.1 <9.9.0-alpha.2 |
Insertion of Sensitive Information Into Sent Dataparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the GET /sessions/me endpoint, which fails to enforce protectedFields restrictions as configured by the server operator. An attacker can access sensitive session fields by making an authenticated request to this endpoint.
How to fix Insertion of Sensitive Information Into Sent Data? Upgrade parse-server to version 8.6.75, 9.8.0-alpha.7 or higher.
| >=7.0.0-alpha.1 <8.6.75>=9.0.0-alpha.1 <9.8.0-alpha.7 |
Timing Attackparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Timing Attack via the login endpoint. An attacker can determine whether a username or email exists in the database by measuring response times for login attempts. This is possible because the server responds faster when a user does not exist and slower when a user exists but the password is incorrect, due to the presence or absence of a bcrypt comparison.
How to fix Timing Attack? Upgrade parse-server to version 8.6.74, 9.8.0-alpha.6 or higher.
| <8.6.74>=9.0.0-alpha.1 <9.8.0-alpha.6 |
Interpretation Conflictparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Interpretation Conflict via the file upload process. An attacker can cause files to be served with an unintended Content-Type by uploading files with a mismatched extension and Content-Type header, potentially leading to files being interpreted incorrectly by clients or browsers. This is only exploitable if the storage adapter or CDN serves files using the stored Content-Type rather than deriving it from the filename extension.
How to fix Interpretation Conflict? Upgrade parse-server to version 8.6.73, 9.7.1-alpha.4 or higher.
| <8.6.73>=9.0.0-alpha.1 <9.7.1-alpha.4 |
Improper Authorizationparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Improper Authorization via the afterFind process. An attacker can gain unauthorized access to protected files by sending HTTP Range requests that bypass authorization logic and built-in validators on storage adapters supporting streaming.
How to fix Improper Authorization? Upgrade parse-server to version 8.6.71, 9.7.1-alpha.1 or higher.
| <8.6.71>=9.0.0 <9.7.1-alpha.1 |
Incorrect Comparisonparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Incorrect Comparison via the session update process. An attacker can extend the validity of a session indefinitely by sending a null value for protected session fields, thereby bypassing configured session length policies.
How to fix Incorrect Comparison? Upgrade parse-server to version 8.6.69, 9.7.0-alpha.14 or higher.
| <8.6.69>=9.0.0 <9.7.0-alpha.14 |
Access of Resource Using Incompatible Type ('Type Confusion')parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the LiveQuery subscription process when an authenticated user with find class-level permission sends a subscription containing a $or, $and, or $nor operator value as an array-like object with numeric keys and a length property instead of an array. An attacker can infer the values of protected fields by observing subscription event responses and using them as a binary oracle.
How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade parse-server to version 8.6.70, 9.7.0-alpha.16 or higher.
| <8.6.70>=9.0.0 <9.7.0-alpha.16 |
Inefficient Algorithmic Complexityparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the GraphQL query complexity validation process. An attacker can cause the Node.js event loop to become blocked for several seconds by sending a specially crafted query with binary fan-out fragment spreads, resulting in denial of service to all concurrent users. This is only exploitable if the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options are enabled.
How to fix Inefficient Algorithmic Complexity? Upgrade parse-server to version 8.6.68, 9.7.0-alpha.12 or higher.
| <8.6.68>=9.0.0 <9.7.0-alpha.12 |
Incorrect Authorizationparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Incorrect Authorization via the Cloud Function handler resolution process. An attacker can gain unauthorized access to protected functions by appending .prototype.constructor to the function name in the URL, which causes the validator access controls to be bypassed during prototype chain traversal. This allows invocation of functions intended to be restricted to authenticated or privileged users.
How to fix Incorrect Authorization? Upgrade parse-server to version 8.6.67, 9.7.0-alpha.11 or higher.
| <8.6.67>=9.0.0 <9.7.0-alpha.11 |
Origin Validation Errorparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Origin Validation Error via the GraphQL API endpoint ignoring the configured CORS allowOrigin restriction. An attacker can interact with the API from unauthorized origins by sending cross-origin requests.
How to fix Origin Validation Error? Upgrade parse-server to version 8.6.66, 9.7.0-alpha.10 or higher.
| >=3.5.0 <8.6.66>=9.0.0-alpha.1 <9.7.0-alpha.10 |
