parse-server 9.7.0-alpha.9

Direct Vulnerabilities

Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `clientSDK` parameter in the request-header parser. An attacker can exhaust CPU resources on a worker node by submitting an excessively long value for `x-parse-client-version`, causing eponential regex backtracking. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `parse-server` to version 8.6.77, 9.9.1-alpha.1 or higher.	<8.6.77>=9.0.0 <9.9.1-alpha.1
L Race Condition parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition due to a race condition in the `login` process. An attacker can obtain multiple valid session tokens by submitting concurrent requests with the same intercepted one-time password. This is only exploitable if the attacker already possesses the victim's password and can intercept the active SMS OTP, and is able to race the legitimate login request. How to fix Race Condition? Upgrade `parse-server` to version 8.6.76, 9.9.0-alpha.2 or higher.	<8.6.76>=9.0.0-alpha.1 <9.9.0-alpha.2
M Insertion of Sensitive Information Into Sent Data parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the `GET /sessions/me` endpoint, which fails to enforce `protectedFields` restrictions as configured by the server operator. An attacker can access sensitive session fields by making an authenticated request to this endpoint. How to fix Insertion of Sensitive Information Into Sent Data? Upgrade `parse-server` to version 8.6.75, 9.8.0-alpha.7 or higher.	>=7.0.0-alpha.1 <8.6.75>=9.0.0-alpha.1 <9.8.0-alpha.7
M Timing Attack parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Timing Attack via the login endpoint. An attacker can determine whether a username or email exists in the database by measuring response times for login attempts. This is possible because the server responds faster when a user does not exist and slower when a user exists but the password is incorrect, due to the presence or absence of a bcrypt comparison. How to fix Timing Attack? Upgrade `parse-server` to version 8.6.74, 9.8.0-alpha.6 or higher.	<8.6.74>=9.0.0-alpha.1 <9.8.0-alpha.6
L Interpretation Conflict parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Interpretation Conflict via the file upload process. An attacker can cause files to be served with an unintended `Content-Type` by uploading files with a mismatched extension and `Content-Type` header, potentially leading to files being interpreted incorrectly by clients or browsers. This is only exploitable if the storage adapter or CDN serves files using the stored `Content-Type` rather than deriving it from the filename extension. How to fix Interpretation Conflict? Upgrade `parse-server` to version 8.6.73, 9.7.1-alpha.4 or higher.	<8.6.73>=9.0.0-alpha.1 <9.7.1-alpha.4
H Improper Authorization parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Improper Authorization via the `afterFind` process. An attacker can gain unauthorized access to protected files by sending HTTP Range requests that bypass authorization logic and built-in validators on storage adapters supporting streaming. How to fix Improper Authorization? Upgrade `parse-server` to version 8.6.71, 9.7.1-alpha.1 or higher.	<8.6.71>=9.0.0 <9.7.1-alpha.1
M Incorrect Comparison parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Comparison via the `session update` process. An attacker can extend the validity of a session indefinitely by sending a null value for protected session fields, thereby bypassing configured session length policies. How to fix Incorrect Comparison? Upgrade `parse-server` to version 8.6.69, 9.7.0-alpha.14 or higher.	<8.6.69>=9.0.0 <9.7.0-alpha.14
M Access of Resource Using Incompatible Type ('Type Confusion') parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') via the LiveQuery subscription process when an authenticated user with `find` class-level permission sends a subscription containing a `$or`, `$and`, or `$nor` operator value as an array-like object with numeric keys and a `length` property instead of an array. An attacker can infer the values of protected fields by observing subscription event responses and using them as a binary oracle. How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade `parse-server` to version 8.6.70, 9.7.0-alpha.16 or higher.	<8.6.70>=9.0.0 <9.7.0-alpha.16
H Inefficient Algorithmic Complexity parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the GraphQL query complexity validation process. An attacker can cause the Node.js event loop to become blocked for several seconds by sending a specially crafted query with binary fan-out fragment spreads, resulting in denial of service to all concurrent users. This is only exploitable if the `requestComplexity.graphQLDepth` or `requestComplexity.graphQLFields` configuration options are enabled. How to fix Inefficient Algorithmic Complexity? Upgrade `parse-server` to version 8.6.68, 9.7.0-alpha.12 or higher.	<8.6.68>=9.0.0 <9.7.0-alpha.12
C Incorrect Authorization parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization via the `Cloud Function` handler resolution process. An attacker can gain unauthorized access to protected functions by appending `.prototype.constructor` to the function name in the URL, which causes the validator access controls to be bypassed during prototype chain traversal. This allows invocation of functions intended to be restricted to authenticated or privileged users. How to fix Incorrect Authorization? Upgrade `parse-server` to version 8.6.67, 9.7.0-alpha.11 or higher.	<8.6.67>=9.0.0 <9.7.0-alpha.11
M Origin Validation Error parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Origin Validation Error via the GraphQL API endpoint ignoring the configured CORS `allowOrigin` restriction. An attacker can interact with the API from unauthorized origins by sending cross-origin requests. How to fix Origin Validation Error? Upgrade `parse-server` to version 8.6.66, 9.7.0-alpha.10 or higher.	>=3.5.0 <8.6.66>=9.0.0-alpha.1 <9.7.0-alpha.10

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)