parse-server 9.1.0-alpha.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Server-side Request Forgery (SSRF) parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `apiURL` parameter in `authData` used by the Instagram OAuth adapter. An attacker can make unauthorized requests to internal or external resources by supplying a malicious endpoint, potentially leading to authentication bypass if the endpoint returns crafted responses. How to fix Server-side Request Forgery (SSRF)? Upgrade `parse-server` to version 8.6.2, 9.1.1-alpha.1 or higher.	<8.6.2>=9.0.0 <9.1.1-alpha.1
M Cross-site Scripting (XSS) parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the rendering of user-supplied input in the HTML pages for password reset and email verification. An attacker can execute arbitrary scripts in the context of a user's browser by crafting malicious input that is reflected in these pages. How to fix Cross-site Scripting (XSS)? Upgrade `parse-server` to version 8.6.1, 9.1.0-alpha.3 or higher.	<8.6.1>=9.0.0-alpha.1 <9.1.0-alpha.3

Vulnerability

Vulnerable Version

Server-side Request Forgery (SSRF)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the apiURL parameter in authData used by the Instagram OAuth adapter. An attacker can make unauthorized requests to internal or external resources by supplying a malicious endpoint, potentially leading to authentication bypass if the endpoint returns crafted responses.

How to fix Server-side Request Forgery (SSRF)?

Upgrade parse-server to version 8.6.2, 9.1.1-alpha.1 or higher.

<8.6.2>=9.0.0 <9.1.1-alpha.1

Cross-site Scripting (XSS)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the rendering of user-supplied input in the HTML pages for password reset and email verification. An attacker can execute arbitrary scripts in the context of a user's browser by crafting malicious input that is reflected in these pages.

How to fix Cross-site Scripting (XSS)?

Upgrade parse-server to version 8.6.1, 9.1.0-alpha.3 or higher.

<8.6.1>=9.0.0-alpha.1 <9.1.0-alpha.3

parse-server@9.1.0-alpha.1 vulnerabilities

An express module providing a Parse-compatible API server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically