cbcvebase.

Parse-Community Parse-Server vulnerabilities

112 known vulnerabilities affecting parse-community/parse-server.

Total CVEs
112
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL20HIGH42MEDIUM43LOW7

Vulnerabilities

Page 3 of 6
CVE-2023-41058P3HIGHCVSS 7.5v>= 1.0.0, < 5.5.5v>= 6.0.0, < 6.2.22023-09-04
CVE-2023-41058 [HIGH] CWE-670 CVE-2023-41058: Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeF Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the intern
ghsanvdosv
CVE-2026-34573P3HIGHCVSS 7.5fixed in 8.6.68v>= 9.0.0, < 9.7.0-alpha.122026-03-31
CVE-2026-34573 [HIGH] CWE-407 CVE-2026-34573: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js
ghsanvdosv
CVE-2026-31872P3HIGHCVSS 7.5v>= 9.0.0 < 9.6.0-alpha.6fixed in 8.6.322026-03-11
CVE-2026-31872 [HIGH] CWE-284 CVE-2026-31872: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field,
ghsanvdosv
CVE-2026-30972P3HIGHCVSS 7.5v>= 9.0.0 < 9.5.2-alpha.10fixed in 8.6.232026-03-10
CVE-2026-30972 [HIGH] CWE-799 CVE-2026-30972: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, byp
ghsanvdosv
CVE-2026-50008P3MEDIUMCVSS 6.9v>= 9.8.0, < 9.9.1-alpha.32026-06-12
CVE-2026-50008 [MEDIUM] CWE-863 CVE-2026-50008: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express middleware against the outer HTTP request URL, so
ghsanvd
CVE-2024-47183P3HIGHCVSS 8.1fixed in 6.5.9v>= 7.0.0, < 7.3.02024-10-04
CVE-2024-47183 [HIGH] CWE-285 CVE-2024-47183: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability
ghsanvdosv
CVE-2026-32886P3HIGHCVSS 7.5v>= 9.0.0, < 9.6.0-alpha.24fixed in 8.6.472026-03-18
CVE-2026-32886 [HIGH] CWE-1321 CVE-2026-32886: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a
ghsanvdosv
CVE-2026-30947P3HIGHCVSS 7.5v>= 9.0.0 < 9.5.2-alpha.3fixed in 8.6.162026-03-10
CVE-2026-30947 [HIGH] CWE-863 CVE-2026-30947: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regar
ghsanvdosv
CVE-2021-47987P3HIGHCVSS 7.5fixed in 4.10.02026-06-25
CVE-2021-47987 [HIGH] CWE-494 CVE-2021-47987: Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags w Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with write access. No releases were published with these tags; a project was exposed only if it defined a git-based dependency referencing one of the affected
nvd
CVE-2022-31112P3HIGHCVSS 8.2fixed in 4.10.13v>= 5.0.0, < 5.2.42022-06-30
CVE-2022-31112 [HIGH] CWE-200 CVE-2022-31112: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade
ghsanvdosv
CVE-2026-32944P3HIGHCVSS 7.5fixed in 8.6.55v>= 9.0.0, < 9.6.0-alpha.442026-03-18
CVE-2026-32944 [HIGH] CWE-674 CVE-2026-32944: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Star
ghsanvdosv
CVE-2026-30925P3HIGHCVSS 7.5v>= 9.0.0 < 9.5.0-alpha.14fixed in 8.6.112026-03-10
CVE-2026-30925 [HIGH] CWE-1333 CVE-2026-30925: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all
ghsanvdosv
CVE-2021-47986P3HIGHCVSS 7.5fixed in 4.10.02026-06-25
CVE-2021-47986 [HIGH] CWE-494 CVE-2021-47986: Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were p Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and potentially malicious code.
nvd
CVE-2026-34215P3MEDIUMCVSS 6.5fixed in 8.6.63v>= 9.0.0, < 9.7.0-alpha.72026-03-31
CVE-2026-34215 [MEDIUM] CWE-200 CVE-2026-34215: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secr
ghsanvdosv
CVE-2025-68150P3MEDIUMCVSS 6.5fixed in 8.6.2v>= 9.0.0, < 9.1.1-alpha.12025-12-16
CVE-2025-68150 [MEDIUM] CWE-918 CVE-2025-68150: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoint
ghsanvdosv
CVE-2022-36079P3HIGHCVSS 7.5fixed in 4.10.14v>= 5.0.0, < 5.2.52022-09-07
CVE-2022-36079 [HIGH] CWE-200 CVE-2022-36079: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid
ghsanvdosv
CVE-2026-33508P3HIGHCVSS 7.5fixed in 8.6.56v>= 9.0.0, < 9.6.0-alpha.452026-03-24
CVE-2026-33508 [HIGH] CWE-674 CVE-2026-33508: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply
ghsanvdosv
CVE-2026-53726P3MEDIUMCVSS 6.9fixed in 8.6.80v>= 9.0.0, < 9.9.1-alpha.62026-06-12
CVE-2026-53726 [MEDIUM] CWE-639 CVE-2026-53726: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1-alpha.6, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by protectedFields, and even when the object owning
ghsanvd
CVE-2022-31083P3HIGHCVSS 7.5fixed in 4.0.11v>= 5.0.0, < 5.2.22022-06-17
CVE-2022-31083 [HIGH] CWE-287 CVE-2022-31083: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and pr
ghsanvdosv
CVE-2022-24901P3HIGHCVSS 7.5fixed in 4.10.10v>= 5.0.0, < 5.2.12022-05-04
CVE-2022-24901 [HIGH] CWE-287 CVE-2022-24901: Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter all Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.
ghsanvdosv
Parse-Community Parse-Server vulnerabilities | cvebase