parse-server@8.6.79

An express module providing a Parse-compatible API server

  • latest version

    9.9.0

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    2 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • L
    Arbitrary File Upload

    parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

    Affected versions of this package are vulnerable to Arbitrary File Upload in the file upload process when a malformed Content-Type header is supplied and the file extension is not recognized by the mime package. An attacker can execute arbitrary scripts in the context of the application's origin by uploading a file with a crafted Content-Type and file body containing HTML, which is then served to other users who open the file URL. This is only exploitable if a storage adapter that persists and serves the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage) is used.

    How to fix Arbitrary File Upload?

    Upgrade parse-server to version 8.6.84, 9.10.0-alpha.2 or higher.

    <8.6.84>=9.0.0 <9.10.0-alpha.2
    • H
    Inefficient Algorithmic Complexity

    parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the query-depth processing in validateQueryDepth and ParseLiveQueryServer._handleSubscribe. An attacker can exhaust the server CPU and hang the event loop by sending a query with deeply nested logical operators such as $or, $and, or $nor wrapped inside field-level operators like $elemMatch. The vulnerable recursion did not consistently count logical operators nested under fields, and the object-walking logic could re-traverse nested arrays exponentially. This allows a single small REST or Live Query request to trigger extensive processing, causing latency spikes and service unavailability for other users.

    How to fix Inefficient Algorithmic Complexity?

    Upgrade parse-server to version 8.6.82, 9.9.1-alpha.12 or higher.

    <8.6.82>=9.0.0-alpha.1 <9.9.1-alpha.12
    • L
    Cross-site Scripting (XSS)

    parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the file upload extension check in FilesRouter in src/FilesRouter and FilesController. An attacker can upload a malicious HTML or SVG file by naming it with a non-standard extension such as .svg~, .svg.bak, or .html.old while supplying a dangerous Content-Type, causing the blocklist to miss the real browser-served type. The uploaded content is then stored and later served as active markup, letting the attacker execute scripts in users’ browser when they open the file. This can expose session data, perform actions as the user, or compromise affected accounts.

    Notes

    • The default bypass is only relevant when the upload is accepted from non-master/API clients and the storage adapter later preserves the client-supplied Content-Type; this includes S3 and GCS as examples of adapters where the uploaded object is served back with that type.
    • The default GridFS/filesystem adapter is less exposed to browser execution because it sends X-Content-Type-Options: nosniff, so the issue’s practical impact is narrower there even though the blocklist bypass still exists.

    Workaround

    • Configure fileUpload.fileExtensions as a strict allowlist of only the file extensions your application needs (for example ["^(png|jpe?g|gif|pdf)$"]) instead of relying on the default blocklist.

    How to fix Cross-site Scripting (XSS)?

    Upgrade parse-server to version 8.6.81, 9.9.1-alpha.11 or higher.

    >=6.2.0 <8.6.81>=9.0.0-alpha.1 <9.9.1-alpha.11
    • M
    Insertion of Sensitive Information Into Sent Data

    parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

    Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data disclosure through the ParseLiveQueryServer event serialization in ParseLiveQueryServer.js. An attacker can learn object data they are no longer authorized to read by when a subscribed object transitions from readable to unreadable or from unreadable to readable in the same save. When a leave event is triggered by an ACL read-access revocation, the server sends the object body from the post-save state instead of the last state the subscriber was allowed to see, and when an enter event is triggered by an ACL grant, it can include the pre-grant original object data. This leaks secret field values to LiveQuery subscribers and exposes object contents that should have been hidden after the ACL change.

    Workarounds

    • Do not change an object's field values and a subscriber's ACL read access in the same save on LiveQuery-enabled classes; perform the ACL change in a separate save before or after the content change to prevent leaking object data in leave or enter events.

    How to fix Insertion of Sensitive Information Into Sent Data?

    Upgrade parse-server to version 8.6.83, 9.9.1-alpha.13 or higher.

    <8.6.83>=9.0.0-alpha.1 <9.9.1-alpha.13
    • M
    Authorization Bypass Through User-Controlled Key

    parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the reduceRelationKeys and authorizeRelatedToQuery paths in DatabaseController. An attacker can read related objects or probe relation membership by sending a $relatedTo query against a relation on an owning object they are not allowed to read, or against a relation field marked as protected. The vulnerable query path reads the relation join table before checking the owning object’s ACL, CLP, or protectedFields, so a caller can use $relatedTo to retrieve linked object IDs or infer whether a specific object is attached to a hidden relation. This exposes related records that should remain inaccessible and turns relation queries into a membership oracle for private parent objects.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade parse-server to version 8.6.80, 9.9.1-alpha.6 or higher.

    <8.6.80>=9.0.0-alpha.1 <9.9.1-alpha.6