Version 7.0.0

parse-server

Parse Server for Node.js / Express

Install Instructions

npm install parse-server
Current Version Release Date October 03, 2024
Language JavaScript/TypeScript
Package URL (purl) pkg:npm/parse-server@7.0.0

Find parse-server vulnerabilities in your supply chain.

Scan for Free

parse-server Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2019-1020012 High 7.5 CWE-444 0.00103 0.43763
  • 3.0.0–3.4.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2019-1020013 Medium 5.3 CWE-209 0.00084 0.37235
  • 3.0.0–3.5.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2020-15270 Medium 4.3 CWE-672 0.0006 0.27335
  • 4.0.2–4.3.0
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2020-26288 Medium 6.5 CWE-312 0.00092 0.40915
  • 4.0.2–4.4.0
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2020-5251 Medium 5.3 CWE-285, CWE-863 0.00071 0.32618
  • 4.0.2
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2021-39138 Medium 6.5 CWE-863 0.00086 0.38055
  • 4.0.2–4.5.1
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2021-39187 High 7.5 CWE-755 0.0017 0.55168
  • 4.0.2–4.10.2
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2021-41109 High 7.5 CWE-200 0.00137 0.50484
  • 4.0.2–4.10.3
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-24760 High 10 CWE-1321 0.10314 0.95195
  • 4.0.2–4.10.6
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-24901 High 7.5 CWE-295, CWE-287 0.00103 0.43548
  • 5.0.0–5.2.1-alpha.2
  • 4.0.2–4.10.9
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-31083 High 7.5 CWE-295, CWE-287 0.00084 0.37279
  • 5.0.0–5.2.1-alpha.2
  • 4.0.2–4.10.10
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-31089 High 7.5 CWE-706, CWE-252 0.00091 0.4051
  • 5.0.0–5.2.2
  • 4.0.2–4.10.11
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-31112 High 8.2 CWE-212, CWE-200 0.0015 0.52291
  • 5.0.0–5.2.3
  • 4.0.2–4.10.12
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-36079 High 7.5 CWE-200 0.00171 0.55214
  • 5.0.0–5.2.4
  • 4.0.2–4.10.13
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-39225 Low 3.1 CWE-669 0.00054 0.24397
  • 5.0.0–5.2.5
  • 4.0.2–4.10.14
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-39231 Low 3.7 CWE-287 0.00072 0.33048
  • 5.0.0–5.2.6
  • 4.0.2–4.10.15
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-39313 High 7.5 CWE-1284, CWE-20 0.00089 0.39715
  • 5.0.0–5.2.7
  • 4.0.2–4.10.16
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-39396 High 9.8 CWE-1321 0.00499 0.77015
  • 5.0.0–5.3.0-beta.1
  • 4.0.2–4.10.17
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-41878 High 9.8 CWE-1321 0.00372 0.7345
  • 5.0.0–5.3.1
  • 4.0.2–4.10.18
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2022-41879 High 9.8 CWE-1321 0.00275 0.68851
  • 5.0.0–5.3.2
  • 4.0.2–4.10.19
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2023-22474 High 8.1 CWE-290 0.00063 0.286
  • 5.0.0–5.4.0-beta.1
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2023-32689 Medium 6.5 CWE-434 0.00113 0.46304
  • 6.0.0–6.1.0-beta.2
  • 5.0.0–5.4.3
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2023-36475 High 9.8 CWE-1321 0.18446 0.96364
  • 6.0.0–6.2.0
  • 5.0.0–5.5.1
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2023-41058 High 7.5 CWE-670 0.00119 0.47544
  • 6.0.0–6.2.1
  • 5.0.0–5.5.4
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2023-46119 High 7.5 CWE-22, CWE-23 0.00155 0.52984
  • 6.0.0–6.3.0-beta.1
  • 5.0.0–5.5.5
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2024-27298 High 10 CWE-89 0.00045 0.17577
  • 7.0.0-alpha.1–7.0.0-alpha.19
  • 6.0.0–6.5.0-beta.1
  • 5.0.0–5.6.0
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2024-29027 High 9 CWE-74 0.00045 0.17206
  • 7.0.0-alpha.1–7.0.0-alpha.28
  • 6.0.0–6.5.4
  • 5.0.0–5.6.0
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2024-39309 High 9.8 CWE-89, CWE-288 0.00045 0.17577
  • 7.0.0–7.1.0-beta.1
  • 6.0.0–6.5.6
  • 5.0.0–5.6.0
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2024-47183 High 8.1 CWE-285, CWE-863 0.00071 0.32756
  • 7.0.0–7.3.0-beta.1
  • 6.0.0–6.5.8
  • 5.0.0–5.6.0
  • 4.0.2–4.10.20
  • 3.0.0–3.10.0
  • 2.0.0–2.8.4
  • 1.0.0–1.0.16
CVE-2020-15126 Medium 6.5 CWE-863 0.00105 0.44239
  • 4.0.2–4.2.0
  • 3.5.0–3.10.0

parse-server Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2024-47183 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2024-39309 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2024-29027 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2024-27298 parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2023-46119 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2023-41058 Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2023-36475 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and 6.2.1. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2023-32689 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain. An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker. The fix included in versions 5.4.4 and 6.1.1 adds a new Parse Server option `fileUpload.fileExtensions` to restrict file upload on Parse Server by file extension. It is recommended to restrict file upload for HTML file extensions, which this fix disables by default. If an app requires upload of files with HTML file extensions, the option can be set to `['.*']` or another custom value to override the default. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2023-22474 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. This issue has been patched in version 5.4.1. The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy`. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-41879 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. This issue has been patched in versions 5.3.3 and 4.10.20. There are no known workarounds. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-41878 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the `requestKeywordDenylist` option. This issue is fixed in versions 4.10.19, and 5.3.2. If upgrade is not possible, the following Workarounds may be applied: Configure your firewall to only allow trusted servers to make request to the Parse Server Cloud Code Webhooks API, or block the API completely if you are not using the feature. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-39396 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. This issue is patched in version 5.3.1 and in 4.10.18. There are no known workarounds. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-39313 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no known workarounds. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-39231 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may be circumvented. Configurations which allow users to authenticate using the Parse Server authentication adapter where `appIds` is set as a string instead of an array of strings authenticate requests from an app with a different app ID than the one specified in the `appIds` configuration. For this vulnerability to be exploited, an attacker needs to be assigned an app ID by the authentication provider which is a sub-set of the server-side configured app ID. This issue is patched in versions 4.10.16 and 5.2.7. There are no known workarounds. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-39225 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object. Note that assigning a session to another user does not usually change the privileges of either of the two users, and a user cannot assign their own session to another user. This issue is patched in version 4.10.15 and above, and 5.2.6 and above. To mitigate this issue in unpatched versions add a `beforeSave` trigger to the `_Session` class and prevent writing if the requesting user is different from the user in the session object. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-36079 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-31112 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-31089 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as single instance without redundancy, the availability impact may be high. This issue has been addressed in versions 4.10.12 and 5.2.3. Users are advised to upgrade. There are no known workarounds for this issue. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-31083 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object. Versions 4.0.11 and 5.2.2 prevent this by introducing a new `rootCertificateUrl` property to the Parse Server Apple Game Center auth adapter which takes the URL to the root certificate of Apple's Game Center authentication certificate. If no value is set, the `rootCertificateUrl` property defaults to the URL of the current root certificate as of May 27, 2022. Keep in mind that the root certificate can change at any time and that it is the developer's responsibility to keep the root certificate URL up-to-date when using the Parse Server Apple Game Center auth adapter. There are no known workarounds for this issue. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-24901 Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2022-24760 Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype Pollution vulnerable code in the file `DatabaseController.js`, so it is likely to affect Postgres and any other database backend as well. This vulnerability has been confirmed on Linux (Ubuntu) and Windows. Users are advised to upgrade as soon as possible. The only known workaround is to manually patch your installation with code referenced at the source GHSA-p6h4-93qp-jhcm. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2021-41109 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload. A patch in version 4.10.4 removes session tokens from the LiveQuery payload. As a workaround, set `user.acl(new Parse.ACL())` in a beforeSave trigger to make the user private already on sign-up. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2021-39187 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. There is a patch for this issue in version 4.10.3. No workarounds aside from upgrading are known to exist. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2021-39138 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the server creates session incorrectly. Particularly, the `authProvider` field in `_Session` class under `createdWith` shows the user logged in creating a password. If a developer later depends on the `createdWith` field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a `password`. The server does not currently use `createdWith` to make decisions about internal functions, so if a developer is not using `createdWith` directly, they are not affected. The vulnerability only affects users who depend on `createdWith` by using it directly. The issue is patched in Parse Server version 4.5.1. As a workaround, do not use the `createdWith` Session field to make decisions if one allows anonymous login. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2020-5251 In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2020-26288 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2020-15270 Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not patched. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2020-15126 In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object. 3.7.0, 3.9.0, 3.5.0, 3.6.0, 4.1.0, 3.10.0, 3.8.0, 3.7.2 (Show all) Major → 6.5.9
CVE-2019-1020013 parse-server before 3.6.0 allows account enumeration. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9
CVE-2019-1020012 parse-server before 3.4.1 allows DoS after any POST to a volatile class. 2.0.7, 2.0.8, 2.0.3, 1.0.13, 2.2.16, 2.2.20, 2.2.21, 2.3.0 (Show all) Major → 6.5.9

Instantly see if these parse-server vulnerabilities affect your code.

Scan for Free