Skip to main content

Parse Server CVE-2026-53725

| EUVDEUVD-2026-36540 MEDIUM
Information Exposure (CWE-200)
2026-06-12 GitHub_M GHSA-75v4-m273-5j49
5.9
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.9 MEDIUM

AC:H captures the dual server-side prerequisites (MFA enabled plus denied _User CLP); PR:N because /verifyPassword accepts plain credentials with no prior authenticated session required.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 20:01 EUVD
Source Code Evidence Fetched
Jun 12, 2026 - 19:21 vuln.today
Analysis Generated
Jun 12, 2026 - 19:21 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on parse-server (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 9.8.0.

DescriptionCVE.org

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.5, apps that enable MFA and deny get on the _User class via Class-Level Permissions could expose sensitive user data through the /login and /verifyPassword endpoints. These endpoints re-fetch the user through the access-controlled query pipeline (CLP, protectedFields, auth-adapter sanitizers) before responding. When that re-fetch was denied by the _User get permission, the server fell back to the raw database row, exposing raw authData (including MFA TOTP secrets and recovery codes) and fields hidden by protectedFields (when protectedFieldsOwnerExempt is false). /verifyPassword is the most severe: with only a username and password (no session or MFA token), an attacker who knows a victim's password could retrieve their MFA secret and recovery codes, defeating the second factor. This issue has been patched in version 9.9.1-alpha.5.

AnalysisAI

Parse Server 9.8.0-9.9.0 exposes raw MFA TOTP secrets and recovery codes through the /verifyPassword and /login endpoints when the _User class-level permission (CLP) is configured to deny get operations. An attacker with knowledge of a victim's username and password can call /verifyPassword without a session token or MFA token and receive the victim's plaintext TOTP secret and recovery codes in the response, completely defeating the second authentication factor. No public exploit has been identified at time of analysis; a patch exists in version 9.9.1-alpha.5, and the EPSS score of 0.04% (13th percentile) reflects limited opportunistic exploitation so far.

Technical ContextAI

Parse Server (cpe:2.3:a:parse-community:parse-server) is a Node.js open-source backend that provides user authentication, class-level permissions (CLPs), protectedFields, and multi-factor authentication via TOTP. After credential validation on /login or /verifyPassword, the server re-fetches the _User record through an access-controlled pipeline in src/Routers/UsersRouter.js that enforces CLPs, protectedFields rules, and auth-adapter sanitizers - including replacing raw TOTP material with a safe status flag. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) describes the root cause: when the _User get CLP denies that re-fetch, instead of returning a sanitized partial record or an error, the server silently fell back to the raw database row, bypassing every sanitization layer. Fields protected by protectedFields are also leaked when protectedFieldsOwnerExempt is set to false. The fix in PR #10492 corrects the fallback behavior in UsersRouter.js so a denied re-fetch no longer returns unsanitized database content.

RemediationAI

Upgrade Parse Server to version 9.9.1-alpha.5 or later, which corrects the fallback behavior in src/Routers/UsersRouter.js (PR #10492: https://github.com/parse-community/parse-server/pull/10492); note that 9.9.1-alpha.5 is a pre-release alpha, so validate stability in staging before production deployment. If immediate upgrade is not feasible, removing the deny-get restriction from the _User CLP allows the re-fetch to succeed and the full sanitization pipeline to run normally, eliminating the unsafe fallback - this trades the CLP access restriction for correct data sanitization, so evaluate whether that CLP was enforcing other data isolation requirements before relaxing it. As a second interim measure, temporarily disabling the MFA feature removes the at-risk TOTP secret fields from authData entirely, at the cost of losing second-factor protection for all users until the patch is applied. No other workaround reliably prevents the raw database row from being returned without one of these two configuration changes.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-53725 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy