Parseplatform Parse-Server vulnerabilities
101 known vulnerabilities affecting parseplatform/parse-server.
Total CVEs
101
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL19HIGH40MEDIUM36LOW6
Vulnerabilities
Page 3 of 6
CVE-2026-30972P3HIGHCVSS 7.5fixed in 8.6.23≥ 9.0.0, < 9.5.2+1 more2026-03-10
CVE-2026-30972 [HIGH] CWE-799 CVE-2026-30972: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, byp
nvd
CVE-2024-47183P3HIGHCVSS 8.1fixed in 6.5.9≥ 7.0.0, < 7.3.02024-10-04
CVE-2024-47183 [HIGH] CWE-285 CVE-2024-47183: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability
nvd
CVE-2026-32886P3HIGHCVSS 7.5fixed in 8.6.47≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-32886 [HIGH] CWE-1321 CVE-2026-32886: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a
nvd
CVE-2026-30947P3HIGHCVSS 7.5fixed in 8.6.16≥ 9.0.0, < 9.5.2+1 more2026-03-10
CVE-2026-30947 [HIGH] CWE-863 CVE-2026-30947: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regar
nvd
CVE-2022-31112P3HIGHCVSS 8.2fixed in 4.10.13≥ 5.0.0, < 5.2.42022-06-30
CVE-2022-31112 [HIGH] CWE-200 CVE-2022-31112: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade
nvd
CVE-2026-32944P3HIGHCVSS 7.5fixed in 8.6.45≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-32944 [HIGH] CWE-674 CVE-2026-32944: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.21 and 8.6.45, an unauthenticated attacker can crash the Parse Server process by sending a single request with deeply nested query condition operators. This terminates the server and denies service to all connected clients. Star
nvd
CVE-2026-30925P3HIGHCVSS 7.5fixed in 8.6.11≥ 9.0.0, < 9.5.0+1 more2026-03-10
CVE-2026-30925 [HIGH] CWE-1333 CVE-2026-30925: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all
nvd
CVE-2026-34215P3MEDIUMCVSS 6.5fixed in 8.6.63≥ 9.0.0, < 9.7.0+1 more2026-03-31
CVE-2026-34215 [MEDIUM] CWE-200 CVE-2026-34215: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secr
nvd
CVE-2025-68150P3MEDIUMCVSS 6.5fixed in 8.6.2v9.0.0+1 more2025-12-16
CVE-2025-68150 [MEDIUM] CWE-918 CVE-2025-68150: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoint
nvd
CVE-2022-36079P3HIGHCVSS 7.5fixed in 4.10.14≥ 5.0.0, < 5.2.52022-09-07
CVE-2022-36079 [HIGH] CWE-200 CVE-2022-36079: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid
nvd
CVE-2026-33508P3HIGHCVSS 7.5fixed in 8.6.56≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33508 [HIGH] CWE-674 CVE-2026-33508: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply
nvd
CVE-2022-31083P3HIGHCVSS 7.5fixed in 4.10.11≥ 5.0.0, < 5.2.22022-06-17
CVE-2022-31083 [HIGH] CWE-287 CVE-2022-31083: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and pr
nvd
CVE-2022-24901P3HIGHCVSS 7.5fixed in 4.10.10≥ 5.0.0, < 5.2.12022-05-04
CVE-2022-24901 [HIGH] CWE-287 CVE-2022-24901: Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter all
Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the URL points to before downloading it.
nvd
CVE-2026-32770P3HIGHCVSS 7.5fixed in 8.6.43≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-32770 [HIGH] CWE-248 CVE-2026-32770: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscri
nvd
CVE-2026-32728P3HIGHCVSS 7.6fixed in 8.6.41≥ 9.0.0, < 9.6.0+1 more2026-03-18
CVE-2026-32728 [HIGH] CWE-79 CVE-2026-32728: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.15 and 8.6.41, an attacker who is allowed to upload files can bypass the file extension filter by appending a MIME parameter (e.g. `;charset=utf-8`) to the `Content-Type` header. This causes the extension validation to fail match
nvd
CVE-2021-39187P3HIGHCVSS 7.5fixed in 4.10.32021-09-02
CVE-2021-39187 [HIGH] CWE-74 CVE-2021-39187: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch. There is a patch fo
nvd
CVE-2026-33421P3MEDIUMCVSS 6.5fixed in 8.6.53≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33421 [MEDIUM] CWE-863 CVE-2026-33421: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery event
nvd
CVE-2026-33627P3MEDIUMCVSS 6.5fixed in 8.6.61≥ 9.0.0, < 9.6.0+1 more2026-03-24
CVE-2026-33627 [MEDIUM] CWE-200 CVE-2026-33627: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authent
nvd
CVE-2021-41109P3HIGHCVSS 7.5fixed in 4.10.42021-09-30
CVE-2021-41109 [HIGH] CWE-200 CVE-2021-41109: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the `Parse.User` class, all session tokens create
nvd
CVE-2022-31089P3HIGHCVSS 7.5fixed in 4.10.12≥ 5.0.0, < 5.2.32022-06-27
CVE-2022-31089 [HIGH] CWE-252 CVE-2022-31089: Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability impact may be low; if you are running Parse Server as s
nvd