parse-server
npm47 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting parse-serverpage 1 of 1
- CVE-2019-1020012HIGHCVSS 7.5EG 7.5✓ Fixed in 3.4.12019-07-29
parse-server before 3.4.1 allows DoS after any POST to a volatile class.
- CVE-2019-1020013MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.6.02019-07-29
parse-server before 3.6.0 allows account enumeration.
- CVE-2020-15126MEDIUMCVSS 6.5EG 6.5✓ Fixed in 4.3.02020-07-22
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User object.
- CVE-2020-15270MEDIUMCVSS 4.3EG 4.3✓ Fixed in 4.4.02020-10-22
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscrip…
- CVE-2020-26288HIGHCVSS 7.7EG 7.7✓ Fixed in 4.5.02020-12-30
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in…
- CVE-2020-5251HIGHCVSS 7.7EG 7.7✓ Fixed in 4.1.02020-03-04
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this way.
- CVE-2021-39138MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.5.22021-08-19
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous us…
- CVE-2021-39187HIGHCVSS 7.5EG 7.5✓ Fixed in 4.10.32021-09-02
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the `explain` option. This is due t…
- CVE-2021-41109HIGHCVSS 7.5EG 7.5✓ Fixed in 4.10.42021-09-30
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payload…
- CVE-2022-24760CRITICALCVSS 10.0EG 10.0✓ Fixed in 4.10.72022-03-12
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. Th…
- CVE-2022-24901HIGHCVSS 7.5EG 7.5✓ Fixed in 5.2.12022-05-04
Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL …
- CVE-2022-31083HIGHCVSS 8.6EG 8.6✓ Fixed in 5.2.22022-06-17
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, aut…
- CVE-2022-31089HIGHCVSS 7.5EG 7.5✓ Fixed in 5.2.32022-06-27
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running mult…
- CVE-2022-31112HIGHCVSS 8.2EG 8.2✓ Fixed in 5.2.42022-06-30
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryContr…
- CVE-2022-36079HIGHCVSS 8.6EG 8.6✓ Fixed in 5.2.52022-09-07
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constr…
- CVE-2022-39225MEDIUMCVSS 4.3EG 4.3✓ Fixed in 5.2.62022-09-23
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session …
- CVE-2022-39231LOWCVSS 3.7EG 3.7✓ Fixed in 5.2.72022-09-23
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for _Facebook_ and _Spotify_ may …
- CVE-2022-39313HIGHCVSS 7.5EG 7.5✓ Fixed in 5.2.82022-10-24
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte ra…
- CVE-2022-39396CRITICALCVSS 9.8EG 9.8✓ Fixed in 5.3.12022-11-10
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An at…
- CVE-2022-41878HIGHCVSS 7.2EG 7.2✓ Fixed in 5.3.22022-11-10
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option `requestKeywordDenylist` can be injected …
- CVE-2022-41879HIGHCVSS 7.2EG 7.2✓ Fixed in 5.3.32022-11-10
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototyp…
- CVE-2023-22474HIGHCVSS 8.7EG 8.7✓ Fixed in 5.4.12023-02-03
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy s…
- CVE-2023-32689MEDIUMCVSS 6.3EG 6.3✓ Fixed in 6.1.12023-05-30
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A m…
- CVE-2023-36475CRITICALCVSS 9.8EG 9.8✓ Fixed in 6.2.12023-06-28
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoD…
- CVE-2023-41058HIGHCVSS 7.5EG 7.5✓ Fixed in 6.2.22023-09-04
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is…
- CVE-2023-46119HIGHCVSS 7.5EG 7.5✓ Fixed in 6.3.12023-10-25
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and 6.3.1.
- CVE-2024-27298CRITICALCVSS 10.0EG 10.0✓ Fixed in 7.0.0-alpha.202024-03-01
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
- CVE-2024-29027CRITICALCVSS 9.0EG 9.0✓ Fixed in 7.0.0-alpha.292024-03-19
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server an…
- CVE-2024-39309CRITICALCVSS 9.8EG 9.8✓ Fixed in 7.1.02024-07-01
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL databas…
- CVE-2024-47183HIGHCVSS 8.1EG 8.1✓ Fixed in 7.3.02024-10-04
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object I…
- CVE-2025-30168MEDIUMCVSS 6.9EG 6.9✓ Fixed in 8.0.22025-03-21
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific …
- CVE-2025-53364MEDIUMCVSS 5.3EG 5.3✓ Fixed in 7.5.32025-07-10
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema witho…
- CVE-2025-64430HIGHCVSS 7.5EG 7.5✓ Fixed in 8.4.0-alpha.22025-11-07
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the fi…
- CVE-2025-64502MEDIUMCVSS 6.9EG 0.0✓ Fixed in 8.5.0-alpha.52025-11-10
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning be…
- CVE-2025-68150MEDIUMCVSS 6.5EG 6.5✓ Fixed in 9.1.1-alpha.12025-12-16
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `api…
- CVE-2026-34215MEDIUMCVSS 6.5EG 6.5✓ Fixed in 8.6.632026-03-31
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP se…
- CVE-2026-34224MEDIUMCVSS 4.4EG 4.4✓ Fixed in 8.6.642026-03-31
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery c…
- CVE-2026-34363MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.6.652026-03-31
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process…
- CVE-2026-34373HIGHCVSS 8.8EG 8.8✓ Fixed in 8.6.662026-03-31
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionall…
- CVE-2026-34532CRITICALCVSS 9.1EG 9.1✓ Fixed in 8.6.672026-03-31
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.co…
- CVE-2026-34573HIGHCVSS 7.5EG 7.5✓ Fixed in 8.6.682026-03-31
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by se…
- CVE-2026-34574MEDIUMCVSS 5.4EG 5.4✓ Fixed in 8.6.692026-03-31
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, crea…
- CVE-2026-34595MEDIUMCVSS 4.3EG 4.3✓ Fixed in 8.6.702026-03-31
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields clas…
- CVE-2026-35200MEDIUMCVSS 5.4EG 5.4✓ Fixed in 8.6.732026-04-06
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .tx…
- CVE-2026-39321LOWCVSS 3.7EG 3.7✓ Fixed in 8.6.742026-04-07
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or em…
- CVE-2026-39381MEDIUMCVSS 4.3EG 4.3✓ Fixed in 8.6.752026-04-07
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured…
- CVE-2026-43930MEDIUMCVSS 5.9EG 5.9✓ Fixed in 8.6.762026-05-12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requ…
Check whether parse-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for parse-server CVEs against the assets you own.
Start Free Scan →