Parse Server literalizeRegexPart SQL Injection
Description
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | < 6.5.0 | 6.5.0 |
parse-servernpm | >= 7.0.0-alpha.1, < 7.0.0-alpha.20 | 7.0.0-alpha.20 |
Affected products
1- Range: < 6.5.0
Patches
2cbefe770a726fix: Improve PostgreSQL injection detection; fixes security vulnerability [GHSA-6927-3vr9-fxf2](https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2) which affects Parse Server deployments using a Postgres database (#8961)
2 files changed · +26 −1
spec/vulnerabilities.spec.js+25 −0 modified@@ -433,3 +433,28 @@ describe('Vulnerabilities', () => { }); }); }); + +describe('Postgres regex sanitizater', () => { + it('sanitizes the regex correctly to prevent Injection', async () => { + const user = new Parse.User(); + user.set('username', 'username'); + user.set('password', 'password'); + user.set('email', 'email@example.com'); + await user.signUp(); + + const response = await request({ + method: 'GET', + url: + "http://localhost:8378/1/classes/_User?where[username][$regex]=A'B'%3BSELECT+PG_SLEEP(3)%3B--", + headers: { + 'Content-Type': 'application/json', + 'X-Parse-Application-Id': 'test', + 'X-Parse-REST-API-Key': 'rest', + }, + }); + + expect(response.status).toBe(200); + expect(response.data.results).toEqual(jasmine.any(Array)); + expect(response.data.results.length).toBe(0); + }); +});
src/Adapters/Storage/Postgres/PostgresStorageAdapter.js+1 −1 modified@@ -2656,7 +2656,7 @@ function literalizeRegexPart(s: string) { .replace(/([^\\])(\\Q)/, '$1') .replace(/^\\E/, '') .replace(/^\\Q/, '') - .replace(/([^'])'/, `$1''`) + .replace(/([^'])'/g, `$1''`) .replace(/^'([^'])/, `''$1`); }
a6e654943536fix: Improve PostgreSQL injection detection; fixes security vulnerability [GHSA-6927-3vr9-fxf2](https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2) which affects Parse Server deployments using a Postgres database (#8960)
2 files changed · +26 −1
spec/vulnerabilities.spec.js+25 −0 modified@@ -459,3 +459,28 @@ describe('Vulnerabilities', () => { }); }); }); + +describe('Postgres regex sanitizater', () => { + it('sanitizes the regex correctly to prevent Injection', async () => { + const user = new Parse.User(); + user.set('username', 'username'); + user.set('password', 'password'); + user.set('email', 'email@example.com'); + await user.signUp(); + + const response = await request({ + method: 'GET', + url: + "http://localhost:8378/1/classes/_User?where[username][$regex]=A'B'%3BSELECT+PG_SLEEP(3)%3B--", + headers: { + 'Content-Type': 'application/json', + 'X-Parse-Application-Id': 'test', + 'X-Parse-REST-API-Key': 'rest', + }, + }); + + expect(response.status).toBe(200); + expect(response.data.results).toEqual(jasmine.any(Array)); + expect(response.data.results.length).toBe(0); + }); +});
src/Adapters/Storage/Postgres/PostgresStorageAdapter.js+1 −1 modified@@ -2656,7 +2656,7 @@ function literalizeRegexPart(s: string) { .replace(/([^\\])(\\Q)/, '$1') .replace(/^\\E/, '') .replace(/^\\Q/, '') - .replace(/([^'])'/, `$1''`) + .replace(/([^'])'/g, `$1''`) .replace(/^'([^'])/, `''$1`); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6927-3vr9-fxf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-27298ghsaADVISORY
- github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/6.5.0ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.