Parse Server
Monthly
Parse Server versions prior to 8.6.40 and 9.6.0-alpha.14 contain an authentication bypass vulnerability in their GraphQL WebSocket subscription endpoint that circumvents Express middleware security controls. An unauthenticated attacker can connect directly to the WebSocket endpoint to execute arbitrary GraphQL operations, perform schema introspection despite disabled public introspection, and send complex queries that bypass rate limiting and complexity validation. This is a network-accessible vulnerability requiring no authentication that exposes sensitive schema information and enables potential denial-of-service attacks.
Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.
Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.
Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37
An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Parse Server versions before 8.6.34 and 9.6.0-alpha.8 leak user registration status through differential error responses on the email verification endpoint, enabling attackers to enumerate valid email addresses in the system when email verification is enabled. Deployments with verifyUserEmails set to true are vulnerable to this user enumeration attack, which allows an attacker to systematically identify registered accounts by analyzing response codes from the /verificationEmailRequest endpoint. No patch is currently available for affected installations.
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.
Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.
SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.
Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.
Parse Server has a third vulnerability with missing authorization enabling unauthorized operations.
Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.
Parse Server versions prior to 9.5.2-alpha.9 and 8.6.22 fail to properly validate OAuth2 token ownership when the useridField option is not configured, allowing attackers with any valid token from the same provider to impersonate arbitrary users. This authentication bypass affects all Parse Server deployments using the generic OAuth2 adapter without the useridField setting. The vulnerability is resolved in patched versions 9.5.2-alpha.9 and 8.6.22.
Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.
Parse Server has an incorrect authorization vulnerability enabling unauthorized data access across applications.
Parse Server versions prior to 9.5.2-alpha.6 and 8.6.19 allow authenticated users to bypass field protection checks by nesting query constraints within logical operators, enabling unauthorized extraction of protected field values. This vulnerability affects all Parse Server deployments with default protected fields, as the validation mechanism only inspects top-level query keys. A patch is available in the specified versions.
Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. A patch is available in versions 9.5.2-alpha.5 and 8.6.18.
Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.
Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.
Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).
NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.
Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.
Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allow attackers to bypass the requestKeywordDenylist security control by nesting prohibited keywords within objects or arrays in request payloads, enabling injection of restricted data into applications. This logic flaw affects all Parse Server deployments since the denylist is enabled by default, and custom keyword restrictions configured by developers are equally vulnerable to the same bypassing technique. Attackers can exploit this to inject malicious content or bypass access controls on any Parse Server instance.
Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.
Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.
Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.
Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.
Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.
Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.
Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.
Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.
Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.
Parse Server versions prior to 8.6.40 and 9.6.0-alpha.14 contain an authentication bypass vulnerability in their GraphQL WebSocket subscription endpoint that circumvents Express middleware security controls. An unauthenticated attacker can connect directly to the WebSocket endpoint to execute arbitrary GraphQL operations, perform schema introspection despite disabled public introspection, and send complex queries that bypass rate limiting and complexity validation. This is a network-accessible vulnerability requiring no authentication that exposes sensitive schema information and enables potential denial-of-service attacks.
Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.
Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.
Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37
An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36
An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35
Parse Server versions before 8.6.34 and 9.6.0-alpha.8 leak user registration status through differential error responses on the email verification endpoint, enabling attackers to enumerate valid email addresses in the system when email verification is enabled. Deployments with verifyUserEmails set to true are vulnerable to this user enumeration attack, which allows an attacker to systematically identify registered accounts by analyzing response codes from the /verificationEmailRequest endpoint. No patch is currently available for affected installations.
Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.
Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.
Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.
SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.
SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.
Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.
Parse Server has a third vulnerability with missing authorization enabling unauthorized operations.
Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.
Parse Server versions prior to 9.5.2-alpha.9 and 8.6.22 fail to properly validate OAuth2 token ownership when the useridField option is not configured, allowing attackers with any valid token from the same provider to impersonate arbitrary users. This authentication bypass affects all Parse Server deployments using the generic OAuth2 adapter without the useridField setting. The vulnerability is resolved in patched versions 9.5.2-alpha.9 and 8.6.22.
Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.
Parse Server has an incorrect authorization vulnerability enabling unauthorized data access across applications.
Parse Server versions prior to 9.5.2-alpha.6 and 8.6.19 allow authenticated users to bypass field protection checks by nesting query constraints within logical operators, enabling unauthorized extraction of protected field values. This vulnerability affects all Parse Server deployments with default protected fields, as the validation mechanism only inspects top-level query keys. A patch is available in the specified versions.
Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. A patch is available in versions 9.5.2-alpha.5 and 8.6.18.
Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.
Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.
Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).
NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.
Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.
Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allow attackers to bypass the requestKeywordDenylist security control by nesting prohibited keywords within objects or arrays in request payloads, enabling injection of restricted data into applications. This logic flaw affects all Parse Server deployments since the denylist is enabled by default, and custom keyword restrictions configured by developers are equally vulnerable to the same bypassing technique. Attackers can exploit this to inject malicious content or bypass access controls on any Parse Server instance.
Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.
Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.
Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.
Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.
Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.
Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.
Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.
Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.
Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.