npm package

parse-server

pkg:npm/parse-server

Vulnerabilities (106)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-43930	Low	—	>= 9.0.0, < 9.9.0-alpha.2	9.9.0-alpha.2	May 12, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succee
CVE-2026-39381	Med	4.3	>= 9.0.0, < 9.8.0-alpha.7	9.8.0-alpha.7	Apr 7, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields ser
CVE-2026-39321	Low	3.7	>= 9.0.0, < 9.8.0-alpha.6	9.8.0-alpha.6	Apr 7, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user i
CVE-2026-35200	Med	5.4	>= 9.0.0, < 9.7.1-alpha.4	9.7.1-alpha.4	Apr 6, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that di
CVE-2026-34784	Hig	7.5	>= 9.0.0, < 9.7.1-alpha.1	9.7.1-alpha.1	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support
CVE-2026-34215	Med	6.5	>= 9.0.0, < 9.7.0-alpha.7	9.7.0-alpha.7	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access t
CVE-2026-34595	Med	4.3	>= 9.0.0, < 9.7.0-alpha.16	9.7.0-alpha.16	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery s
CVE-2026-34574	Med	5.4	>= 9.0.0, < 9.7.0-alpha.14	9.7.0-alpha.14	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT
CVE-2026-34573	Hig	7.5	>= 9.0.0, < 9.7.0-alpha.12	9.7.0-alpha.12	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out
CVE-2026-34532	Cri	9.1	>= 9.0.0, < 9.7.0-alpha.11	9.7.0-alpha.11	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the UR
CVE-2026-34373	Hig	8.8	>= 9.0.0, < 9.7.0-alpha.10	9.7.0-alpha.10	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any w
CVE-2026-34363	Med	5.3	>= 9.0.0, < 9.7.0-alpha.9	9.7.0-alpha.9	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using share
CVE-2026-34224	Med	4.4	>= 9.0.0, < 9.7.0-alpha.8	9.7.0-alpha.8	Mar 31, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create m
CVE-2026-33627		—	>= 9.0.0, < 9.6.0-alpha.55	9.6.0-alpha.55	Mar 24, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secret
CVE-2026-33624		—	>= 9.0.0, < 9.6.0-alpha.54	9.6.0-alpha.54	Mar 24, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times
CVE-2026-33539		—	>= 9.0.0, < 9.6.0-alpha.53	9.6.0-alpha.53	Mar 24, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters
CVE-2026-33538		—	>= 9.0.0, < 9.6.0-alpha.52	9.6.0-alpha.52	Mar 24, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider na
CVE-2026-33527		—	>= 9.0.0, < 9.6.0-alpha.48	9.6.0-alpha.48	Mar 24, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own sessi
CVE-2026-33508		—	>= 9.0.0, < 9.6.0-alpha.45	9.6.0-alpha.45	Mar 24, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocke
CVE-2026-33498		—	>= 9.0.0, < 9.6.0-alpha.44	9.6.0-alpha.44	Mar 24, 2026	Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang th

CVE-2026-43930LowMay 12, 2026
affected >= 9.0.0, < 9.9.0-alpha.2fixed 9.9.0-alpha.2
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.76 and 9.9.0-alpha.2, a race condition in the MFA SMS one-time password (OTP) login path allows two concurrent /login requests carrying the same OTP to both succee
CVE-2026-39381MedApr 7, 2026
affected >= 9.0.0, < 9.8.0-alpha.7fixed 9.8.0-alpha.7
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields ser
CVE-2026-39321LowApr 7, 2026
affected >= 9.0.0, < 9.8.0-alpha.6fixed 9.8.0-alpha.6
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user i
CVE-2026-35200MedApr 6, 2026
affected >= 9.0.0, < 9.7.1-alpha.4fixed 9.7.1-alpha.4
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that di
CVE-2026-34784HigMar 31, 2026
affected >= 9.0.0, < 9.7.1-alpha.1fixed 9.7.1-alpha.1
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support
CVE-2026-34215MedMar 31, 2026
affected >= 9.0.0, < 9.7.0-alpha.7fixed 9.7.0-alpha.7
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access t
CVE-2026-34595MedMar 31, 2026
affected >= 9.0.0, < 9.7.0-alpha.16fixed 9.7.0-alpha.16
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery s
CVE-2026-34574MedMar 31, 2026
affected >= 9.0.0, < 9.7.0-alpha.14fixed 9.7.0-alpha.14
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT
CVE-2026-34573HigMar 31, 2026
affected >= 9.0.0, < 9.7.0-alpha.12fixed 9.7.0-alpha.12
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out
CVE-2026-34532CriMar 31, 2026
affected >= 9.0.0, < 9.7.0-alpha.11fixed 9.7.0-alpha.11
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the UR
CVE-2026-34373HigMar 31, 2026
affected >= 9.0.0, < 9.7.0-alpha.10fixed 9.7.0-alpha.10
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any w
CVE-2026-34363MedMar 31, 2026
affected >= 9.0.0, < 9.7.0-alpha.9fixed 9.7.0-alpha.9
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using share
CVE-2026-34224MedMar 31, 2026
affected >= 9.0.0, < 9.7.0-alpha.8fixed 9.7.0-alpha.8
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create m
CVE-2026-33627Mar 24, 2026
affected >= 9.0.0, < 9.6.0-alpha.55fixed 9.6.0-alpha.55
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secret
CVE-2026-33624Mar 24, 2026
affected >= 9.0.0, < 9.6.0-alpha.54fixed 9.6.0-alpha.54
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times
CVE-2026-33539Mar 24, 2026
affected >= 9.0.0, < 9.6.0-alpha.53fixed 9.6.0-alpha.53
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters
CVE-2026-33538Mar 24, 2026
affected >= 9.0.0, < 9.6.0-alpha.52fixed 9.6.0-alpha.52
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider na
CVE-2026-33527Mar 24, 2026
affected >= 9.0.0, < 9.6.0-alpha.48fixed 9.6.0-alpha.48
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own sessi
CVE-2026-33508Mar 24, 2026
affected >= 9.0.0, < 9.6.0-alpha.45fixed 9.6.0-alpha.45
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocke
CVE-2026-33498Mar 24, 2026
affected >= 9.0.0, < 9.6.0-alpha.44fixed 9.6.0-alpha.44
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang th

Page 1 of 6