cbcvebase.

Parse-Community Parse-Server vulnerabilities

112 known vulnerabilities affecting parse-community/parse-server.

Total CVEs
112
CISA KEV
0
Public exploits
1
Exploited in wild
1
Severity breakdown
CRITICAL20HIGH42MEDIUM43LOW7

Vulnerabilities

Page 4 of 6
CVE-2026-32770P3HIGHCVSS 7.5v>= 9.0.0, < 9.6.0-alpha.19fixed in 8.6.432026-03-18
CVE-2026-32770 [HIGH] CWE-248 CVE-2026-32770: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscri
ghsanvdosv
CVE-2026-32728P3HIGHCVSS 7.6v>= 9.0.0, < 9.6.0-alpha.15fixed in 8.6.412026-03-18
CVE-2026-32728 [HIGH] CWE-79 CVE-2026-32728: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail match
ghsanvdosv
CVE-2025-64502P3MEDIUMCVSS 6.9fixed in 8.5.0-alpha.52025-11-10
CVE-2025-64502 [MEDIUM] CWE-201 CVE-2025-64502: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute expl
ghsanvdosv
CVE-2026-47248P3MEDIUMCVSS 6.9fixed in 8.6.78v>= 9.0.0, < 9.9.1-alpha.22026-06-12
CVE-2026-47248 [MEDIUM] CWE-209 CVE-2026-47248: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.78 and 9.9.1-alpha.2, Parse Server's GraphQL endpoint discloses schema metadata to unauthenticated callers through Did you mean ...? suggestions embedded in GraphQL validation-error messages. An unauthenticated caller who kno
nvd
CVE-2021-39187P3HIGHCVSS 7.5fixed in 4.10.32021-09-02
CVE-2021-39187 [HIGH] CWE-74 CVE-2021-39187: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. There is a patch fo
ghsanvdosv
CVE-2026-33421P3MEDIUMCVSS 6.5fixed in 8.6.53v>= 9.0.0, < 9.6.0-alpha.422026-03-24
CVE-2026-33421 [MEDIUM] CWE-863 CVE-2026-33421: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery event
ghsanvdosv
CVE-2026-33627P3MEDIUMCVSS 6.5fixed in 8.6.61v>= 9.0.0, < 9.6.0-alpha.552026-03-24
CVE-2026-33627 [MEDIUM] CWE-200 CVE-2026-33627: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authent
ghsanvdosv
CVE-2021-41109P3HIGHCVSS 7.5fixed in 4.10.42021-09-30
CVE-2021-41109 [HIGH] CWE-200 CVE-2021-41109: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens create
ghsanvdosv
CVE-2022-31089P3HIGHCVSS 7.5fixed in 4.10.12v>=5.0.0, < 5.2.32022-06-27
CVE-2022-31089 [HIGH] CWE-252 CVE-2022-31089: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as s
ghsanvdosv
CVE-2026-30962P3MEDIUMCVSS 6.5v>= 9.0.0 < 9.5.2-alpha.6fixed in 8.6.192026-03-10
CVE-2026-30962 [MEDIUM] CWE-284 CVE-2026-30962: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated u
ghsanvdosv
CVE-2026-32269P3MEDIUMCVSS 6.5v>= 9.0.0, < 9.6.0-alpha.13v>= 8.0.2, < 8.6.392026-03-12
CVE-2026-32269 [MEDIUM] CWE-683 CVE-2026-32269: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of
ghsanvdosv
CVE-2022-39313P3HIGHCVSS 7.5fixed in 4.10.17v>= 5.0.0, < 5.2.82022-10-24
CVE-2022-39313 [HIGH] CWE-1284 CVE-2022-39313: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been patched in versions 4.10.17, and 5.2.8. There are no k
ghsanvdosv
CVE-2026-33163P3MEDIUMCVSS 6.5v>= 9.0.0, < 9.6.0-alpha.35fixed in 8.6.502026-03-18
CVE-2026-33163 [MEDIUM] CWE-200 CVE-2026-33163: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.35 and 8.6.50, when a `Parse.Cloud.afterLiveQueryEvent` trigger is registered for a class, the LiveQuery server leaks protected fields and `authData` to all subscribers of that class. Fields configured as protected via Class-L
ghsanvdosv
CVE-2023-46119P3HIGHCVSS 7.5v>= 1.0.0, < 5.5.6v>= 6.0.0, < 6.3.12023-10-25
CVE-2023-46119 [HIGH] CWE-23 CVE-2023-46119: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.
ghsanvdosv
CVE-2025-30168P3MEDIUMCVSS 6.9fixed in 7.5.2v>= 8.0.0 ,< 8.0.22025-03-21
CVE-2025-30168 [MEDIUM] CWE-287 CVE-2025-30168: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using th
ghsanvdosv
CVE-2021-39138P3MEDIUMCVSS 6.5fixed in 4.5.12021-08-19
CVE-2021-39138 [MEDIUM] CWE-287 CVE-2021-39138: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the server creates session incorrectly. Particularly, the `authProvider` field
ghsanvdosv
CVE-2020-26288P3MEDIUMCVSS 6.5fixed in 4.5.02020-12-30
CVE-2020-26288 [MEDIUM] CWE-312 CVE-2020-26288: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext passw
ghsanvdosv
CVE-2023-32689P3MEDIUMCVSS 6.5fixed in 5.4.4v>= 6.0.0, < 6.1.12023-05-30
CVE-2023-32689 [MEDIUM] CWE-434 CVE-2023-32689: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessi
ghsanvdosv
CVE-2026-30850P3MEDIUMCVSS 5.9fixed in 8.6.9fixed in 9.5.0-alpha.92026-03-07
CVE-2026-30850 [MEDIUM] CWE-862 CVE-2026-30850: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasse
ghsanvdosv
CVE-2026-31875P3MEDIUMCVSS 5.9v>= 9.0.0 < 9.6.0-alpha.7fixed in 8.6.332026-03-11
CVE-2026-31875 [MEDIUM] CWE-672 CVE-2026-31875: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP toke
ghsanvdosv
Parse-Community Parse-Server vulnerabilities | cvebase