Parse Server crash and RCE via invalid Cloud Function or Cloud Job name
Description
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name before it reaches Parse Server.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
parse-servernpm | < 6.5.5 | 6.5.5 |
parse-servernpm | >= 7.0.0-alpha.1, < 7.0.0-alpha.29 | 7.0.0-alpha.29 |
Affected products
1- Range: < 6.5.5
Patches
25ae6d6a36d75fix: Server crashes on invalid Cloud Function or Cloud Job name; fixes security vulnerability [GHSA-6hh7-46r2-vf29](https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29) (#9023)
2 files changed · +40 −1
spec/ParseHooks.spec.js+33 −0 modified@@ -694,3 +694,36 @@ describe('triggers', () => { expect(req.context).toBeUndefined(); }); }); + +describe('sanitizing names', () => { + const invalidNames = [ + `test'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5cxxxxxxxxxxxxxxx.yyyyy'%2b'fy.com%5cxus'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20`, + `test.function.name`, + ]; + + it('should not crash server and return error on invalid Cloud Function name', async () => { + for (const invalidName of invalidNames) { + let error; + try { + await Parse.Cloud.run(invalidName); + } catch (err) { + error = err; + } + expect(error).toBeDefined(); + expect(error.message).toMatch(/Invalid function/); + } + }); + + it('should not crash server and return error on invalid Cloud Job name', async () => { + for (const invalidName of invalidNames) { + let error; + try { + await Parse.Cloud.startJob(invalidName); + } catch (err) { + error = err; + } + expect(error).toBeDefined(); + expect(error.message).toMatch(/Invalid job/); + } + }); +});
src/triggers.js+7 −1 modified@@ -86,6 +86,12 @@ const Category = { }; function getStore(category, name, applicationId) { + const invalidNameRegex = /['"`]/; + if (invalidNameRegex.test(name)) { + // Prevent a malicious user from injecting properties into the store + return {}; + } + const path = name.split('.'); path.splice(-1); // remove last component applicationId = applicationId || Parse.applicationId; @@ -94,7 +100,7 @@ function getStore(category, name, applicationId) { for (const component of path) { store = store[component]; if (!store) { - return undefined; + return {}; } } return store;
9f6e3429d3b3fix: Server crashes on invalid Cloud Function or Cloud Job name; fixes security vulnerability [GHSA-6hh7-46r2-vf29](https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29) (#9024)
2 files changed · +40 −1
spec/ParseHooks.spec.js+33 −0 modified@@ -694,3 +694,36 @@ describe('triggers', () => { expect(req.context).toBeUndefined(); }); }); + +describe('sanitizing names', () => { + const invalidNames = [ + `test'%3bdeclare%20@q%20varchar(99)%3bset%20@q%3d'%5c%5cxxxxxxxxxxxxxxx.yyyyy'%2b'fy.com%5cxus'%3b%20exec%20master.dbo.xp_dirtree%20@q%3b--%20`, + `test.function.name`, + ]; + + it('should not crash server and return error on invalid Cloud Function name', async () => { + for (const invalidName of invalidNames) { + let error; + try { + await Parse.Cloud.run(invalidName); + } catch (err) { + error = err; + } + expect(error).toBeDefined(); + expect(error.message).toMatch(/Invalid function/); + } + }); + + it('should not crash server and return error on invalid Cloud Job name', async () => { + for (const invalidName of invalidNames) { + let error; + try { + await Parse.Cloud.startJob(invalidName); + } catch (err) { + error = err; + } + expect(error).toBeDefined(); + expect(error.message).toMatch(/Invalid job/); + } + }); +});
src/triggers.js+7 −1 modified@@ -86,6 +86,12 @@ const Category = { }; function getStore(category, name, applicationId) { + const invalidNameRegex = /['"`]/; + if (invalidNameRegex.test(name)) { + // Prevent a malicious user from injecting properties into the store + return {}; + } + const path = name.split('.'); path.splice(-1); // remove last component applicationId = applicationId || Parse.applicationId; @@ -94,7 +100,7 @@ function getStore(category, name, applicationId) { for (const component of path) { store = store[component]; if (!store) { - return undefined; + return {}; } } return store;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-6hh7-46r2-vf29ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-29027ghsaADVISORY
- github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179bghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6eghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/6.5.5ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29ghsax_refsource_MISCWEB
- github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.