Low severityNVD Advisory· Published Dec 30, 2020· Updated Aug 4, 2024
Parse Server stores password in plain text
CVE-2020-26288
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping password after authentication to prevent cleartext password storage.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | < 4.5.0 | 4.5.0 |
Affected products
1- Range: < 4.5.0
Patches
1da905a357d06Merge pull request from GHSA-4w46-w44m-3jq3
https://github.com/parse-community/parse-serverAntonio Davi Macedo Coelho de CastroDec 2, 2020via ghsa
2 files changed · +47 −0
spec/LdapAuth.spec.js+46 −0 modified@@ -211,3 +211,49 @@ it('Should fail if the LDAP server encounters an error while searching', done => .finally(() => server.close()); }); }); + +it('Should delete the password from authData after validation', done => { + mockLdapServer(port, 'uid=testuser, o=example', true).then(server => { + const options = { + suffix: 'o=example', + url: `ldap://localhost:${port}`, + dn: 'uid={{id}}, o=example' + }; + + const authData = { id: 'testuser', password: 'secret' }; + + ldap + .validateAuthData(authData, options) + .then(() => { + expect(authData).toEqual({ id: 'testuser' }); + done(); + }) + .catch(done.fail) + .finally(() => server.close()); + }); +}); + +it('Should not save the password in the user record after authentication', done => { + mockLdapServer(port, 'uid=testuser, o=example', true).then(server => { + const options = { + suffix: 'o=example', + url: `ldap://localhost:${port}`, + dn: 'uid={{id}}, o=example' + }; + reconfigureServer({ auth: { ldap: options } }).then(() => { + const authData = { authData: { id: 'testuser', password: 'secret' } }; + Parse.User.logInWith('ldap', authData).then((returnedUser) => { + const query = new Parse.Query("User"); + query + .equalTo('objectId', returnedUser.id).first({ useMasterKey: true }) + .then((user) => { + expect(user.get('authData')).toEqual({ ldap:{ id: 'testuser' }}); + expect(user.get('authData').ldap.password).toBeUndefined(); + done(); + }) + .catch(done.fail) + .finally(() => server.close()) + }) + }); + }); +});
src/Adapters/Auth/ldap.js+1 −0 modified@@ -23,6 +23,7 @@ function validateAuthData(authData, options) { return new Promise((resolve, reject) => { client.bind(userCn, authData.password, ldapError => { + delete(authData.password); if (ldapError) { let error; switch (ldapError.code) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-4w46-w44m-3jq3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-26288ghsaADVISORY
- github.com/parse-community/parse-server/commit/da905a357d062ab4fea727a21eac231acc2ed92aghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/4.5.0ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-4w46-w44m-3jq3ghsax_refsource_CONFIRMWEB
- www.npmjs.com/advisories/1593ghsaWEB
- www.npmjs.com/package/parse-serverghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.