Information Exposure Affecting parse-server package, versions <4.10.13 >=5.0.0 <5.2.4
Threat Intelligence
EPSS
0.15% (52nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-PARSESERVER-2938529
- published 1 Jul 2022
- disclosed 1 Jul 2022
- credit Unknown
Introduced: 1 Jul 2022
CVE-2022-31112 Open this link in a new tabHow to fix?
Upgrade parse-server
to version 4.10.13, 5.2.4 or higher.
Overview
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Information Exposure because the LiveQueryController
does not remove protected fields in classes, passing them to the client.
Workarounds:
Users can use Parse.Cloud.afterLiveQueryEvent
to manually remove protected fields.
CVSS Scores
version 3.1