parse 2.3.1 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the parse package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app. Affected versions of this package are vulnerable to Prototype Pollution which allows an attacker to execute arbitrary code remotely by injecting a malicious payload into affected APIs, including: `ParseObject.fromJSON`, `ParseObject.pin`, `ParseObject.registerSubclass`, `ObjectStateMutations`, and `encode`/`decode`. How to fix Prototype Pollution? Upgrade `parse` to version 7.0.0-alpha.1 or higher.	<7.0.0-alpha.1
H Prototype Pollution parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app. Affected versions of this package are vulnerable to Prototype Pollution via the `initializeState()` function. An attacker can cause a denial of service by injecting malicious properties into `Object.prototype` by specifying a className value of 'proto'. Note: The vulnerability was fixed in 7.0.0; however, the maintainer recommends skipping this release as it contains a bug that introduces a breaking change in the format of Parse Server 5xx responses. How to fix Prototype Pollution? Upgrade `parse` to version 7.0.1 or higher.	<7.0.1
M Insufficiently Protected Credentials parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app. Affected versions of this package are vulnerable to Insufficiently Protected Credentials. The `setPassword` method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext." PoC by Diamond Lewis and Colin Ulin `async () => { const user = Parse.User.current() if (user) { user.setPassword('newpass') await user.save() } }` After running the above code, the new password will be stored in localStorage as a property named "password". How to fix Insufficiently Protected Credentials? Upgrade `parse` to version 2.10.0 or higher.	<2.10.0

Vulnerability

Vulnerable Version

Prototype Pollution

parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app.

Affected versions of this package are vulnerable to Prototype Pollution which allows an attacker to execute arbitrary code remotely by injecting a malicious payload into affected APIs, including: ParseObject.fromJSON, ParseObject.pin, ParseObject.registerSubclass, ObjectStateMutations, and encode/decode.

How to fix Prototype Pollution?

Upgrade parse to version 7.0.0-alpha.1 or higher.

<7.0.0-alpha.1

Prototype Pollution

parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app.

Affected versions of this package are vulnerable to Prototype Pollution via the initializeState() function. An attacker can cause a denial of service by injecting malicious properties into Object.prototype by specifying a className value of 'proto'.

Note: The vulnerability was fixed in 7.0.0; however, the maintainer recommends skipping this release as it contains a bug that introduces a breaking change in the format of Parse Server 5xx responses.

How to fix Prototype Pollution?

Upgrade parse to version 7.0.1 or higher.

<7.0.1

Insufficiently Protected Credentials

parse is a library that gives you access to the powerful Parse Server backend from your JavaScript app.

Affected versions of this package are vulnerable to Insufficiently Protected Credentials. The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user's password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all. In the documentation under Users > Signing Up, it clearly states, "We never store passwords in plaintext, nor will we ever transmit passwords back to the client in plaintext."

PoC by Diamond Lewis and Colin Ulin

async () => {
    const user = Parse.User.current()
    if (user) {
        user.setPassword('newpass')
        await user.save()
    }
}

After running the above code, the new password will be stored in localStorage as a property named "password".

How to fix Insufficiently Protected Credentials?

Upgrade parse to version 2.10.0 or higher.

<2.10.0

parse@2.3.1 vulnerabilities

Parse JavaScript SDK

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically

PoC by Diamond Lewis and Colin Ulin