Skip to main content

Parse Server CVE-2023-41058

HIGH
Always-Incorrect Control Flow Implementation (CWE-670)
2023-09-04 security-advisories@github.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Sep 04, 2023 - 23:15 nvd
HIGH 7.5

DescriptionNVD

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the beforeFind trigger is invoked. This fix was introduced in commit be4c7e23c6 and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.

AnalysisAI

Parse Server is an open source backend server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-670. Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the beforeFind trigger is invoked. This fix was introduced in commit be4c7e23c6 and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers. Affected products include: Parseplatform Parse-Server.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2026-32248 CRITICAL POC
9.8 Mar 12

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

CVE-2026-32242 HIGH POC
7.4 Mar 12

### Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all

CVE-2026-30966 CRITICAL
10.0 Mar 10

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

CVE-2024-27298 CRITICAL
10.0 Mar 01

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotel

CVE-2026-30863 CRITICAL
9.8 Mar 07

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popula

CVE-2026-31840 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

CVE-2026-31871 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

CVE-2026-31856 CRITICAL
9.8 Mar 11

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

CVE-2023-36475 CRITICAL
9.8 Jun 28

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41878 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

CVE-2022-41879 CRITICAL
9.8 Nov 10

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical s

Share

CVE-2023-41058 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy