parse-server 9.8.0-alpha.2

Direct Vulnerabilities

Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the `clientSDK` parameter in the request-header parser. An attacker can exhaust CPU resources on a worker node by submitting an excessively long value for `x-parse-client-version`, causing eponential regex backtracking. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `parse-server` to version 8.6.77, 9.9.1-alpha.1 or higher.	<8.6.77>=9.0.0 <9.9.1-alpha.1
L Race Condition parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Race Condition due to a race condition in the `login` process. An attacker can obtain multiple valid session tokens by submitting concurrent requests with the same intercepted one-time password. This is only exploitable if the attacker already possesses the victim's password and can intercept the active SMS OTP, and is able to race the legitimate login request. How to fix Race Condition? Upgrade `parse-server` to version 8.6.76, 9.9.0-alpha.2 or higher.	<8.6.76>=9.0.0-alpha.1 <9.9.0-alpha.2
M Insertion of Sensitive Information Into Sent Data parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the `GET /sessions/me` endpoint, which fails to enforce `protectedFields` restrictions as configured by the server operator. An attacker can access sensitive session fields by making an authenticated request to this endpoint. How to fix Insertion of Sensitive Information Into Sent Data? Upgrade `parse-server` to version 8.6.75, 9.8.0-alpha.7 or higher.	>=7.0.0-alpha.1 <8.6.75>=9.0.0-alpha.1 <9.8.0-alpha.7
M Timing Attack parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Timing Attack via the login endpoint. An attacker can determine whether a username or email exists in the database by measuring response times for login attempts. This is possible because the server responds faster when a user does not exist and slower when a user exists but the password is incorrect, due to the presence or absence of a bcrypt comparison. How to fix Timing Attack? Upgrade `parse-server` to version 8.6.74, 9.8.0-alpha.6 or higher.	<8.6.74>=9.0.0-alpha.1 <9.8.0-alpha.6

Vulnerability

Vulnerable Version

Regular Expression Denial of Service (ReDoS)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the clientSDK parameter in the request-header parser. An attacker can exhaust CPU resources on a worker node by submitting an excessively long value for x-parse-client-version, causing eponential regex backtracking.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade parse-server to version 8.6.77, 9.9.1-alpha.1 or higher.

<8.6.77>=9.0.0 <9.9.1-alpha.1

Race Condition

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Race Condition due to a race condition in the login process. An attacker can obtain multiple valid session tokens by submitting concurrent requests with the same intercepted one-time password. This is only exploitable if the attacker already possesses the victim's password and can intercept the active SMS OTP, and is able to race the legitimate login request.

How to fix Race Condition?

Upgrade parse-server to version 8.6.76, 9.9.0-alpha.2 or higher.

<8.6.76>=9.0.0-alpha.1 <9.9.0-alpha.2

Insertion of Sensitive Information Into Sent Data

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data via the GET /sessions/me endpoint, which fails to enforce protectedFields restrictions as configured by the server operator. An attacker can access sensitive session fields by making an authenticated request to this endpoint.

How to fix Insertion of Sensitive Information Into Sent Data?

Upgrade parse-server to version 8.6.75, 9.8.0-alpha.7 or higher.

>=7.0.0-alpha.1 <8.6.75>=9.0.0-alpha.1 <9.8.0-alpha.7

Timing Attack

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Timing Attack via the login endpoint. An attacker can determine whether a username or email exists in the database by measuring response times for login attempts. This is possible because the server responds faster when a user does not exist and slower when a user exists but the password is incorrect, due to the presence or absence of a bcrypt comparison.

How to fix Timing Attack?

Upgrade parse-server to version 8.6.74, 9.8.0-alpha.6 or higher.

<8.6.74>=9.0.0-alpha.1 <9.8.0-alpha.6

parse-server@9.8.0-alpha.2

An express module providing a Parse-compatible API server

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically