parse-server
104 known vulnerabilities · 7 critical · 19 high
parse-server's session object properties can be updated by foreign user if object ID is known
Remote code execution via MongoDB BSON parser through prototype pollution
Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
Server crashes on invalid Cloud Function or Cloud Job name
Parse Server has an auth provider validation bypass on login via partial authData
Parse Server has a protected fields bypass via logical query operators
Parse Server has a bypass of class-level permissions in LiveQuery
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
Parse Server has a SQL injection via query field name when using PostgreSQL
Parse Server's custom object ID allows to acquire role privileges
Parse Server vulnerable to user enumeration via email verification endpoint
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
Parse Server may crash when uploading file without extension
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
Parse Server LiveQuery subscription with invalid regular expression crashes server
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Parse Server session creation endpoint allows overwriting server-generated session fields
Parse Server has role escalation and CLP bypass via direct `_Join` table write
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
Parse Server's GraphQL WebSocket endpoint bypasses security middleware
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction
Parse Server affected by empty authData bypassing credential requirement on signup
Parse Server: MFA recovery code single-use bypass via concurrent requests
Parse Server before v3.4.1 vulnerable to Denial of Service
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
Parse Server missing audience validation in Keycloak authentication adapter
Parse Server has a query condition depth bypass via pre-validation transform pipeline
Phishing attack vulnerability by uploading malicious HTML file
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Command injection in Parse Server through prototype pollution
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
parse-server auth adapter app ID validation can be circumvented
Parse Server OAuth2 authentication adapter account takeover via identity spoofing
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
parse-server: Malformed `$regex` query leaks database error details in API response
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
Parse Server has a login timing side-channel reveals user existence
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
parse-server crashes when receiving file download request with invalid byte range
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
Parse Server's Session Update endpoint allows overwriting server-generated session fields
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Parse Server has a protected field change detection oracle via LiveQuery watch parameter
LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server: SQL injection via dot-notation field name in PostgreSQL
Authentication bypass vulnerability in Apple Game Center auth adapter
Parse Server option `masterKeyIps` vulnerability to IP spoofing
Parse Server has a password reset token single-use bypass via concurrent requests
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
Parse Server exposes auth data via verify password endpoint
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
Parse Server leaks protected fields via LiveQuery afterEvent trigger
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
Parse Server: Account takeover via operator injection in authentication data identifier
Parse Server email verification resend page leaks user existence
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
Parser Server's streaming file download bypasses afterFind file trigger authorization
GraphQL API endpoint ignores CORS origin restriction
Parse Server: File upload Content-Type override via extension mismatch
Parse Server has an MFA single-use token bypass via concurrent authData login requests
parse-server new anonymous user session acts as if it's created with password
Parse Server has a session field immutability bypass via falsy-value guard
parse-server has GraphQL complexity validator exponential fragment traversal DoS
Parse Server has a protected fields bypass via dot-notation in query and sort
parse-server has cloud function validator bypass via prototype chain traversal