parse-server
An express module providing a Parse-compatible API server
Security Advisories for parse-server in npm
Moderate
about 24 hours ago
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
npm
parse-server
High
8 days ago
Parse Server: Pre-authentication denial of service via client version header regex backtracking
npm
parse-server
Low
25 days ago
parse-server: MFA SMS one-time password accepted twice under concurrent login
npm
parse-server
Moderate
about 2 months ago
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
npm
parse-server
Moderate
about 2 months ago
Parse Server has a login timing side-channel reveals user existence
npm
parse-server
Low
about 2 months ago
Parse Server: File upload Content-Type override via extension mismatch
npm
parse-server
High
about 2 months ago
Parser Server's streaming file download bypasses afterFind file trigger authorization
npm
parse-server
Moderate
about 2 months ago
Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
npm
parse-server
Moderate
about 2 months ago
Parse Server has a session field immutability bypass via falsy-value guard
npm
parse-server
High
about 2 months ago
parse-server has GraphQL complexity validator exponential fragment traversal DoS
npm
parse-server
Critical
about 2 months ago
parse-server has cloud function validator bypass via prototype chain traversal
npm
parse-server
High
2 months ago
LiveQuery protected field leak via shared mutable state across concurrent subscribers
npm
parse-server
Low
2 months ago
Parse Server has an MFA single-use token bypass via concurrent authData login requests
npm
parse-server
Low
2 months ago
Parse Server: MFA recovery code single-use bypass via concurrent requests
npm
parse-server
High
2 months ago
Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
npm
parse-server
High
2 months ago
Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
npm
parse-server
Moderate
2 months ago
Parse Server's Session Update endpoint allows overwriting server-generated session fields
npm
parse-server
High
2 months ago
Parse Server has a query condition depth bypass via pre-validation transform pipeline
npm
parse-server
Moderate
2 months ago
Parse Server has a protected field change detection oracle via LiveQuery watch parameter
npm
parse-server
High
2 months ago
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
npm
parse-server
High
2 months ago
Parse Server has an auth provider validation bypass on login via partial authData
npm
parse-server
Moderate
2 months ago
Parse Server email verification resend page leaks user existence
npm
parse-server
High
2 months ago
Parse Server leaks protected fields via LiveQuery afterEvent trigger
npm
parse-server
Moderate
2 months ago
Parse Server affected by empty authData bypassing credential requirement on signup
npm
parse-server
Moderate
2 months ago
Parse Server LiveQuery subscription with invalid regular expression crashes server
npm
parse-server
Moderate
2 months ago
Parse Server session creation endpoint allows overwriting server-generated session fields
npm
parse-server
Moderate
2 months ago
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
npm
parse-server
High
2 months ago
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
npm
parse-server
Low
2 months ago
Parse Server has a password reset token single-use bypass via concurrent requests
npm
parse-server
High
3 months ago
Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
npm
parse-server
Moderate
3 months ago
Parse Server's GraphQL WebSocket endpoint bypasses security middleware
npm
parse-server
Moderate
3 months ago
Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
npm
parse-server
Critical
3 months ago
Parse Server: Account takeover via operator injection in authentication data identifier
npm
parse-server
Critical
3 months ago
Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance
npm
parse-server
Moderate
3 months ago
Parse Server has a SQL injection via query field name when using PostgreSQL
npm
parse-server
Moderate
3 months ago
Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
npm
parse-server
Moderate
3 months ago
Parse Server vulnerable to user enumeration via email verification endpoint
npm
parse-server
High
3 months ago
Parse Server has a protected fields bypass via dot-notation in query and sort
npm
parse-server
Critical
3 months ago
Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
npm
parse-server
Moderate
3 months ago
Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
npm
parse-server
Critical
3 months ago
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
npm
parse-server
Moderate
3 months ago
Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction
npm
parse-server
High
3 months ago
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
npm
parse-server
Moderate
3 months ago
Parse Server has a rate limit bypass via batch request endpoint
npm
parse-server
High
3 months ago
Parse Server OAuth2 authentication adapter account takeover via identity spoofing
npm
parse-server
Critical
3 months ago
Parse Server has role escalation and CLP bypass via direct `_Join` table write
npm
parse-server
Critical
3 months ago
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
npm
parse-server
High
3 months ago
Parse Server has a protected fields bypass via logical query operators
npm
parse-server
High
3 months ago
Parse Server missing audience validation in Keycloak authentication adapter
npm
parse-server
High
3 months ago
Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload
npm
parse-server
High
3 months ago
Parse Server has a bypass of class-level permissions in LiveQuery
npm
parse-server
High
3 months ago
Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
npm
parse-server
High
3 months ago
Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
npm
parse-server
Critical
3 months ago
Parse Server: SQL injection via dot-notation field name in PostgreSQL
npm
parse-server
High
3 months ago
Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
npm
parse-server
Moderate
3 months ago
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
npm
parse-server
High
3 months ago
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
npm
parse-server
Critical
3 months ago
Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
npm
parse-server
Moderate
3 months ago
Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
npm
parse-server
Moderate
3 months ago
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
npm
parse-server
Moderate
3 months ago
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
npm
parse-server
Moderate
3 months ago
parse-server: Malformed `$regex` query leaks database error details in API response
npm
parse-server
High
3 months ago
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
npm
parse-server
Moderate
3 months ago
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
npm
parse-server
High
3 months ago
Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
npm
parse-server
Critical
3 months ago
Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
npm
parse-server
High
5 months ago
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
npm
parse-server
Moderate
5 months ago
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
npm
parse-server
Moderate
7 months ago
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
npm
parse-server
High
7 months ago
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
npm
parse-server
High
over 1 year ago
Parse Server's custom object ID allows to acquire role privileges
npm
parse-server
Critical
almost 2 years ago
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
npm
parse-server
Critical
about 2 years ago
Server crashes on invalid Cloud Function or Cloud Job name
npm
parse-server
Critical
about 2 years ago
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection
npm
parse-server
High
over 2 years ago
Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
npm
parse-server
Critical
almost 3 years ago
Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
npm
parse-server
Moderate
almost 3 years ago
Phishing attack vulnerability by uploading malicious HTML file
npm
parse-server
High
over 3 years ago
Parse Server option `masterKeyIps` vulnerability to IP spoofing
npm
parse-server
High
over 3 years ago
Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks
npm
parse-server
High
over 3 years ago
Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
npm
parse-server
Critical
over 3 years ago
Remote code execution via MongoDB BSON parser through prototype pollution
npm
parse-server
High
over 3 years ago
parse-server crashes when receiving file download request with invalid byte range
npm
parse-server
Low
over 3 years ago
parse-server auth adapter app ID validation can be circumvented
npm
parse-server
Moderate
over 3 years ago
parse-server's session object properties can be updated by foreign user if object ID is known
npm
parse-server
High
over 3 years ago
Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
npm
parse-server
High
almost 4 years ago
Authentication bypass vulnerability in Apple Game Center auth adapter
npm
parse-server
High
about 4 years ago
Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
npm
parse-server
Critical
about 4 years ago
Command injection in Parse Server through prototype pollution
npm
parse-server