Arbitrary File Uploadparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Arbitrary File Upload in the file upload process when a malformed Content-Type header is supplied and the file extension is not recognized by the mime package. An attacker can execute arbitrary scripts in the context of the application's origin by uploading a file with a crafted Content-Type and file body containing HTML, which is then served to other users who open the file URL. This is only exploitable if a storage adapter that persists and serves the uploaded Content-Type (such as Amazon S3, Google Cloud Storage, or Azure Blob Storage) is used.
How to fix Arbitrary File Upload? Upgrade parse-server to version 8.6.84, 9.10.0-alpha.2 or higher.
| <8.6.84>=9.0.0 <9.10.0-alpha.2 |
Inefficient Algorithmic Complexityparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity through the query-depth processing in validateQueryDepth and ParseLiveQueryServer._handleSubscribe. An attacker can exhaust the server CPU and hang the event loop by sending a query with deeply nested logical operators such as $or, $and, or $nor wrapped inside field-level operators like $elemMatch. The vulnerable recursion did not consistently count logical operators nested under fields, and the object-walking logic could re-traverse nested arrays exponentially. This allows a single small REST or Live Query request to trigger extensive processing, causing latency spikes and service unavailability for other users.
How to fix Inefficient Algorithmic Complexity? Upgrade parse-server to version 8.6.82, 9.9.1-alpha.12 or higher.
| <8.6.82>=9.0.0-alpha.1 <9.9.1-alpha.12 |
Insertion of Sensitive Information Into Sent Dataparse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data disclosure through the ParseLiveQueryServer event serialization in ParseLiveQueryServer.js. An attacker can learn object data they are no longer authorized to read by when a subscribed object transitions from readable to unreadable or from unreadable to readable in the same save. When a leave event is triggered by an ACL read-access revocation, the server sends the object body from the post-save state instead of the last state the subscriber was allowed to see, and when an enter event is triggered by an ACL grant, it can include the pre-grant original object data. This leaks secret field values to LiveQuery subscribers and exposes object contents that should have been hidden after the ACL change.
Workarounds
- Do not change an object's field values and a subscriber's ACL read access in the same
save on LiveQuery-enabled classes; perform the ACL change in a separate save before or after the content change to prevent leaking object data in leave or enter events.
How to fix Insertion of Sensitive Information Into Sent Data? Upgrade parse-server to version 8.6.83, 9.9.1-alpha.13 or higher.
| <8.6.83>=9.0.0-alpha.1 <9.9.1-alpha.13 |