Skip to main content

Parse Server

72 CVEs product

Monthly

CVE-2026-61448 LOW PATCH Monitor

Stored XSS execution in Parse Server (versions 9.0.0 through pre-9.10.0-alpha.2 and all 8.x releases through 8.6.83) allows authenticated users with file-upload permissions to inject persistent JavaScript that executes in the application's origin against other users, but only when a cloud-based storage adapter is configured. By crafting a deliberately malformed Content-Type header - such as 'image' or 'image/' - an attacker exploits a gap in the mime-package lookup path that renders the fileUpload.fileExtensions blocklist ineffective, causing the malformed value to be stored verbatim in Amazon S3, Google Cloud Storage, or Azure Blob Storage. Browsers receiving a syntactically invalid Content-Type fall back to MIME sniffing and render HTML file bodies as web pages in the application's origin; no public exploit has been identified and the vulnerability is absent from CISA KEV, but the stored nature means a single successful upload persists as a live threat until patched or the file is removed.

XSS Google Microsoft File Upload Parse Server
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2021-47987 npm HIGH PATCH This Week

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Parse Server
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2021-47986 npm HIGH PATCH This Week

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Parse Server
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-53726 npm MEDIUM PATCH GHSA This Month

Unauthenticated relation membership disclosure in Parse Server allows any client holding only standard public API credentials to read objects linked through a Relation field that is explicitly hidden by protectedFields, or linked to a parent object that is inaccessible under its ACL or class-level permissions. By supplying only a known or guessed owning object's objectId, a remote unauthenticated caller can enumerate all objects in a protected relation or use the $relatedTo operator as a membership oracle - confirming whether a specific child object is privately linked to a given parent. This directly undermines applications that use Parse Server's access control primitives to protect sensitive relationships such as private group memberships, block lists, or account-to-resource associations. No public exploit identified at time of analysis; vendor-released patches exist at versions 8.6.80 and 9.9.1-alpha.6.

Authentication Bypass Node.js Oracle Parse Server
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-53725 npm MEDIUM PATCH GHSA This Month

Parse Server 9.8.0-9.9.0 exposes raw MFA TOTP secrets and recovery codes through the /verifyPassword and /login endpoints when the _User class-level permission (CLP) is configured to deny get operations. An attacker with knowledge of a victim's username and password can call /verifyPassword without a session token or MFA token and receive the victim's plaintext TOTP secret and recovery codes in the response, completely defeating the second authentication factor. No public exploit has been identified at time of analysis; a patch exists in version 9.9.1-alpha.5, and the EPSS score of 0.04% (13th percentile) reflects limited opportunistic exploitation so far.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-53724 npm LOW PATCH GHSA Monitor

Stored XSS in Parse Server is achievable by authenticated users who bypass the file upload extension blocklist by appending a trailing dot to a blocked filename (e.g., `poc.svg.`), causing the extension parser to return an empty string and skip the block check. The attacker-supplied Content-Type is forwarded unchanged to cloud storage adapters (S3, GCS), which persist and serve the file under that active MIME type - enabling script execution in a victim's browser when the file URL is opened. No active exploitation is confirmed (not in CISA KEV, EPSS 0.05% at 15th percentile), but the attack mechanism is low-complexity and fully documented in the vendor's fix PRs. Patches are available in versions 8.6.79 and 9.9.1-alpha.4.

File Upload XSS Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-50008 npm MEDIUM PATCH GHSA This Month

Parse Server's operator-configured route firewall (`routeAllowList`) is bypassed in versions 9.8.0 through 9.9.1-alpha.3 when external clients POST to the `/batch` endpoint with sub-requests targeting routes the operator intended to block. The Express middleware enforcing the allow-list runs only against the outer HTTP request URL; the `/batch` handler dispatches each embedded sub-request to the internal router without re-running that check. Inner authorization controls - Parse authentication, ACL, and CLP - remain in effect, bounding actual data exposure to whatever those controls permit, but the route-level security boundary is defeated entirely. No public exploit has been identified and EPSS is 0.08%, though operators relying on `routeAllowList` as a primary access-control layer are directly and materially affected.

Authentication Bypass Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-32594 npm HIGH PATCH This Week

Parse Server versions prior to 8.6.40 and 9.6.0-alpha.14 contain an authentication bypass vulnerability in their GraphQL WebSocket subscription endpoint that circumvents Express middleware security controls. An unauthenticated attacker can connect directly to the WebSocket endpoint to execute arbitrary GraphQL operations, perform schema introspection despite disabled public introspection, and send complex queries that bypass rate limiting and complexity validation. This is a network-accessible vulnerability requiring no authentication that exposes sensitive schema information and enables potential denial-of-service attacks.

Authentication Bypass Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-32269 npm MEDIUM PATCH This Month

Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-32248 npm CRITICAL POC PATCH Act Now

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Information Disclosure Node.js PostgreSQL Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32242 npm HIGH POC PATCH This Week

Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37

Node.js Race Condition Information Disclosure Parse Server
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.1%
CVE-2026-32234 npm MEDIUM PATCH This Month

An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-32098 npm HIGH PATCH This Week

An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35

Node.js Information Disclosure AI / ML Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31901 npm MEDIUM PATCH This Month

Parse Server versions before 8.6.34 and 9.6.0-alpha.8 leak user registration status through differential error responses on the email verification endpoint, enabling attackers to enumerate valid email addresses in the system when email verification is enabled. Deployments with verifyUserEmails set to true are vulnerable to this user enumeration attack, which allows an attacker to systematically identify registered accounts by analyzing response codes from the /verificationEmailRequest endpoint. No patch is currently available for affected installations.

Node.js Information Disclosure Parse Server
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-31875 npm MEDIUM PATCH This Month

Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.

Node.js Information Disclosure Parse Server
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-31872 npm HIGH PATCH This Week

Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.

Node.js PostgreSQL Authentication Bypass Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-31871 npm CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31868 npm MEDIUM PATCH This Month

Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.

Node.js XSS Parse Server
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-31856 npm CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31840 npm CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

Node.js PostgreSQL SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-31828 npm HIGH PATCH This Week

Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.

Node.js DNS LDAP Privilege Escalation Parse Server
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31800 npm CRITICAL PATCH Act Now

Parse Server has a third vulnerability with missing authorization enabling unauthorized operations.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-30972 npm HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30967 npm HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.9 and 8.6.22 fail to properly validate OAuth2 token ownership when the useridField option is not configured, allowing attackers with any valid token from the same provider to impersonate arbitrary users. This authentication bypass affects all Parse Server deployments using the generic OAuth2 adapter without the useridField setting. The vulnerability is resolved in patched versions 9.5.2-alpha.9 and 8.6.22.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30966 npm CRITICAL PATCH Act Now

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-30965 npm CRITICAL PATCH Act Now

Parse Server has an incorrect authorization vulnerability enabling unauthorized data access across applications.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-30962 npm MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.6 and 8.6.19 allow authenticated users to bypass field protection checks by nesting query constraints within logical operators, enabling unauthorized extraction of protected field values. This vulnerability affects all Parse Server deployments with default protected fields, as the validation mechanism only inspects top-level query keys. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30949 npm HIGH PATCH This Week

Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. A patch is available in versions 9.5.2-alpha.5 and 8.6.18.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30948 npm MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.

Node.js XSS Parse Server
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30947 npm HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30946 npm HIGH PATCH This Week

Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30941 npm HIGH PATCH This Week

NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.

Node.js MongoDB SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30939 npm HIGH PATCH This Week

Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.

Node.js Denial Of Service Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30938 npm MEDIUM PATCH This Month

Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allow attackers to bypass the requestKeywordDenylist security control by nesting prohibited keywords within objects or arrays in request payloads, enabling injection of restricted data into applications. This logic flaw affects all Parse Server deployments since the denylist is enabled by default, and custom keyword restrictions configured by developers are equally vulnerable to the same bypassing technique. Attackers can exploit this to inject malicious content or bypass access controls on any Parse Server instance.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30925 npm HIGH PATCH This Week

Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30863 npm CRITICAL PATCH Act Now

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.

Node.js Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30854 npm MEDIUM PATCH This Month

Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30850 npm MEDIUM PATCH This Month

Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-30835 npm MEDIUM PATCH This Month

Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30229 npm HIGH PATCH This Week

Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-30228 npm MEDIUM PATCH This Month

Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.

Node.js Parse Server
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-29182 npm HIGH PATCH This Week

Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-27804 npm CRITICAL PATCH Act Now

Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.

Node.js Parse Server
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2024-47183 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Node.js Parse Server
NVD GitHub
CVSS 3.1
8.1
EPSS
0.4%
CVE-2024-29027 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required.

Node.js RCE Parse Server
NVD GitHub
CVSS 3.1
9.0
EPSS
1.2%
CVE-2024-27298 npm CRITICAL PATCH Act Now

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi PostgreSQL Node.js Parse Server
NVD GitHub
CVSS 3.1
10.0
EPSS
1.0%
CVE-2023-46119 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2023-41058 npm HIGH PATCH This Week

Parse Server is an open source backend server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2023-36475 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Node.js RCE Prototype Pollution Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
3.2%
CVE-2023-32689 npm MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Node.js File Upload Parse Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2023-22474 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Node.js Authentication Bypass Parse Server
NVD GitHub
CVSS 3.1
8.1
EPSS
0.7%
CVE-2022-41878 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.9%
CVE-2022-41879 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Prototype Pollution Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2022-39396 npm CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Prototype Pollution Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
38.7%
CVE-2022-39313 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2022-39231 npm LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Node.js Parse Server
NVD GitHub
CVSS 3.1
3.7
EPSS
0.4%
CVE-2022-39225 npm LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Node.js Parse Server
NVD GitHub
CVSS 3.1
3.1
EPSS
0.4%
CVE-2022-36079 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.0%
CVE-2022-31112 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
8.2
EPSS
1.2%
CVE-2022-31089 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.1%
CVE-2022-31083 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Node.js Apple Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2022-24901 npm HIGH PATCH This Week

Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2022-24760 npm CRITICAL POC PATCH THREAT Act Now

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Ubuntu RCE Microsoft PostgreSQL Parse Server
NVD GitHub
CVSS 3.1
10.0
EPSS
49.1%
CVE-2021-41109 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-39187 npm HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
1.8%
CVE-2021-39138 npm MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Node.js Authentication Bypass Parse Server
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2020-26288 npm MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2020-15270 npm MEDIUM PATCH This Month

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Parse Server
NVD GitHub
CVSS 3.1
4.3
EPSS
1.2%
CVE-2020-15126 npm MEDIUM PATCH This Month

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Parse Server
NVD GitHub
CVSS 3.1
6.5
EPSS
1.1%
CVE-2020-5251 npm MEDIUM PATCH This Month

In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Parse Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.8%
CVE-2019-1020013 npm MEDIUM PATCH This Month

parse-server before 3.6.0 allows account enumeration. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Parse Server
NVD GitHub
CVSS 3.0
5.3
EPSS
1.2%
CVE-2019-1020012 npm HIGH PATCH This Week

parse-server before 3.4.1 allows DoS after any POST to a volatile class. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Parse Server
NVD GitHub
CVSS 3.0
7.5
EPSS
1.4%
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored XSS execution in Parse Server (versions 9.0.0 through pre-9.10.0-alpha.2 and all 8.x releases through 8.6.83) allows authenticated users with file-upload permissions to inject persistent JavaScript that executes in the application's origin against other users, but only when a cloud-based storage adapter is configured. By crafting a deliberately malformed Content-Type header - such as 'image' or 'image/' - an attacker exploits a gap in the mime-package lookup path that renders the fileUpload.fileExtensions blocklist ineffective, causing the malformed value to be stored verbatim in Amazon S3, Google Cloud Storage, or Azure Blob Storage. Browsers receiving a syntactically invalid Content-Type fall back to MIME sniffing and render HTML file bodies as web pages in the application's origin; no public exploit has been identified and the vulnerability is absent from CISA KEV, but the stored nature means a single successful upload persists as a live threat until patched or the file is removed.

XSS Google Microsoft +2
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Parse Server before 4.10.0 was affected by a supply chain incident in which incorrect version tags were pushed to the official repository pointing to an unreviewed personal fork of a contributor with. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Parse Server
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated relation membership disclosure in Parse Server allows any client holding only standard public API credentials to read objects linked through a Relation field that is explicitly hidden by protectedFields, or linked to a parent object that is inaccessible under its ACL or class-level permissions. By supplying only a known or guessed owning object's objectId, a remote unauthenticated caller can enumerate all objects in a protected relation or use the $relatedTo operator as a membership oracle - confirming whether a specific child object is privately linked to a given parent. This directly undermines applications that use Parse Server's access control primitives to protect sensitive relationships such as private group memberships, block lists, or account-to-resource associations. No public exploit identified at time of analysis; vendor-released patches exist at versions 8.6.80 and 9.9.1-alpha.6.

Authentication Bypass Node.js Oracle +1
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Parse Server 9.8.0-9.9.0 exposes raw MFA TOTP secrets and recovery codes through the /verifyPassword and /login endpoints when the _User class-level permission (CLP) is configured to deny get operations. An attacker with knowledge of a victim's username and password can call /verifyPassword without a session token or MFA token and receive the victim's plaintext TOTP secret and recovery codes in the response, completely defeating the second authentication factor. No public exploit has been identified at time of analysis; a patch exists in version 9.9.1-alpha.5, and the EPSS score of 0.04% (13th percentile) reflects limited opportunistic exploitation so far.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 2.1
LOW PATCH Monitor

Stored XSS in Parse Server is achievable by authenticated users who bypass the file upload extension blocklist by appending a trailing dot to a blocked filename (e.g., `poc.svg.`), causing the extension parser to return an empty string and skip the block check. The attacker-supplied Content-Type is forwarded unchanged to cloud storage adapters (S3, GCS), which persist and serve the file under that active MIME type - enabling script execution in a victim's browser when the file URL is opened. No active exploitation is confirmed (not in CISA KEV, EPSS 0.05% at 15th percentile), but the attack mechanism is low-complexity and fully documented in the vendor's fix PRs. Patches are available in versions 8.6.79 and 9.9.1-alpha.4.

File Upload XSS Node.js +1
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Parse Server's operator-configured route firewall (`routeAllowList`) is bypassed in versions 9.8.0 through 9.9.1-alpha.3 when external clients POST to the `/batch` endpoint with sub-requests targeting routes the operator intended to block. The Express middleware enforcing the allow-list runs only against the outer HTTP request URL; the `/batch` handler dispatches each embedded sub-request to the internal router without re-running that check. Inner authorization controls - Parse authentication, ACL, and CLP - remain in effect, bounding actual data exposure to whatever those controls permit, but the route-level security boundary is defeated entirely. No public exploit has been identified and EPSS is 0.08%, though operators relying on `routeAllowList` as a primary access-control layer are directly and materially affected.

Authentication Bypass Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Parse Server versions prior to 8.6.40 and 9.6.0-alpha.14 contain an authentication bypass vulnerability in their GraphQL WebSocket subscription endpoint that circumvents Express middleware security controls. An unauthenticated attacker can connect directly to the WebSocket endpoint to execute arbitrary GraphQL operations, perform schema introspection despite disabled public introspection, and send complex queries that bypass rate limiting and complexity validation. This is a network-accessible vulnerability requiring no authentication that exposes sensitive schema information and enables potential denial-of-service attacks.

Authentication Bypass Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.

Information Disclosure Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Information Disclosure Node.js PostgreSQL +1
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH POC PATCH This Week

Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37

Node.js Race Condition Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

An attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a `$regex` query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using PostgreSQL. The fix applies proper SQL identifier escaping to field names in the query handler and hardens query field name validation to reject malicious field names for all query types. There is no known workaround. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-c442-97qw-j6c6 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.10 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.36

Node.js PostgreSQL SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

An attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or `$regex`), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both `protectedFields` configured in Class-Level Permissions and LiveQuery enabled. The fix adds validation of the LiveQuery subscription WHERE clause against the class's protected fields, mirroring the existing REST API validation. If a subscription's WHERE clause references a protected field directly, via dot-notation, or inside `$or` / `$and` / `$nor` operators, the subscription is rejected with a permission error. This is applied during subscription creation, so existing event delivery paths are not affected. Disable LiveQuery for classes that use `protectedFields` in their Class-Level Permissions, or remove `protectedFields` from classes that require LiveQuery. - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-j7mm-f4rv-6q6q - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.9 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.35

Node.js Information Disclosure AI / ML +1
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Parse Server versions before 8.6.34 and 9.6.0-alpha.8 leak user registration status through differential error responses on the email verification endpoint, enabling attackers to enumerate valid email addresses in the system when email verification is enabled. Deployments with verifyUserEmails set to true are vulnerable to this user enumeration attack, which allows an attacker to systematically identify registered accounts by analyzing response codes from the /verificationEmailRequest endpoint. No patch is currently available for affected installations.

Node.js Information Disclosure Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Parse Server's TOTP-based multi-factor authentication fails to invalidate recovery codes after use, allowing an attacker with a single recovery code to authenticate repeatedly as an affected user. This vulnerability impacts Parse Server deployments prior to versions 9.6.0-alpha.7 and 8.6.33, where recovery codes intended as single-use fallback mechanisms can be exploited indefinitely to bypass MFA protections. No patch is currently available for affected versions.

Node.js Information Disclosure Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse Server versions prior to 9.6.0-alpha.6 and 8.6.32 allow attackers to bypass class-level permission restrictions on protected fields by using dot-notation in query and sort parameters, enabling enumeration of sensitive field values through binary oracle attacks. This affects both MongoDB and PostgreSQL deployments and requires no authentication or user interaction. No patch is currently available for affected versions.

Node.js PostgreSQL Authentication Bypass +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31. Third Parse Server SQLi.

Node.js PostgreSQL SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Stored XSS in Parse Server prior to versions 9.6.0-alpha.4 and 8.6.30 allows unauthenticated attackers to upload files with dangerous extensions (such as .svgz, .xht, .xml) that bypass default upload filters and execute malicious scripts in users' browsers within the Parse Server domain. Successful exploitation enables attackers to steal session tokens, hijack user accounts, or perform unauthorized actions on behalf of victims. User interaction is required to trigger the vulnerability when victims access the uploaded malicious files.

Node.js XSS Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.5/8.6.31.

Node.js PostgreSQL SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

SQL injection in Parse Server before 9.6.0-alpha.2/8.6.28.

Node.js PostgreSQL SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.

Node.js DNS LDAP +2
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Parse Server has a third vulnerability with missing authorization enabling unauthorized operations.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.9 and 8.6.22 fail to properly validate OAuth2 token ownership when the useridField option is not configured, allowing attackers with any valid token from the same provider to impersonate arbitrary users. This authentication bypass affects all Parse Server deployments using the generic OAuth2 adapter without the useridField setting. The vulnerability is resolved in patched versions 9.5.2-alpha.9 and 8.6.22.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Parse Server has an incorrect authorization vulnerability enabling unauthorized data access across applications.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.6 and 8.6.19 allow authenticated users to bypass field protection checks by nesting query constraints within logical operators, enabling unauthorized extraction of protected field values. This vulnerability affects all Parse Server deployments with default protected fields, as the validation mechanism only inspects top-level query keys. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. A patch is available in versions 9.5.2-alpha.5 and 8.6.18.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.

Node.js XSS Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.

Node.js MongoDB SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.

Node.js Denial Of Service Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allow attackers to bypass the requestKeywordDenylist security control by nesting prohibited keywords within objects or arrays in request payloads, enabling injection of restricted data into applications. This logic flaw affects all Parse Server deployments since the denylist is enabled by default, and custom keyword restrictions configured by developers are equally vulnerable to the same bypassing technique. Attackers can exploit this to inject malicious content or bypass access controls on any Parse Server instance.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Node.js Parse Server
NVD GitHub
EPSS 1% CVSS 9.0
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required.

Node.js RCE Parse Server
NVD GitHub
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

parse-server is a Parse Server for Node.js / Express. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This SQL Injection vulnerability could allow attackers to execute arbitrary SQL commands against the database.

SQLi PostgreSQL Node.js +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Node.js Denial Of Service Parse Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend server. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Parse Server
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) vulnerability could allow attackers to modify object prototypes to inject properties affecting application logic.

Node.js RCE Prototype Pollution +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Unrestricted File Upload vulnerability could allow attackers to upload malicious files that can be executed on the server.

Node.js File Upload Parse Server
NVD GitHub
EPSS 1% CVSS 8.1
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity.

Node.js Authentication Bypass Parse Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Parse Server
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js Authentication Bypass Prototype Pollution +1
NVD GitHub
EPSS 39% CVSS 9.8
CRITICAL PATCH Act Now

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Node.js RCE Prototype Pollution +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 3.1
LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure Node.js Parse Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Node.js Parse Server
NVD GitHub
EPSS 1% CVSS 8.2
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Parse Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Node.js Apple +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Apple Parse Server
NVD GitHub
EPSS 49% CVSS 10.0
CRITICAL POC PATCH THREAT Act Now

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Ubuntu RCE Microsoft +2
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Node.js Information Disclosure Parse Server
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Node.js Parse Server
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Node.js Authentication Bypass Parse Server
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Parse Server
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.

Node.js Information Disclosure Parse Server
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Incorrect Authorization vulnerability could allow attackers to bypass authorization checks to access restricted resources.

Authentication Bypass Parse Server
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Authentication Bypass Parse Server
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

parse-server before 3.6.0 allows account enumeration. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Parse Server
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

parse-server before 3.4.1 allows DoS after any POST to a volatile class. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

Request Smuggling Information Disclosure Parse Server
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy