VYPR

npm package

parse-server

pkg:npm/parse-server

Vulnerabilities (106)

  • CVE-2026-30925Mar 9, 2026
    affected >= 9.0.0-alpha.1, < 9.5.0-alpha.14fixed 9.5.0-alpha.14

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js ev

  • CVE-2026-30854Mar 7, 2026
    affected >= 9.3.1-alpha.3, < 9.5.0-alpha.10fixed 9.5.0-alpha.10

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __t

  • CVE-2026-30850Mar 7, 2026
    affected < 8.6.9fixed 8.6.9

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these t

  • CVE-2026-30848Mar 7, 2026
    affected < 8.6.8fixed 8.6.8

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outsi

  • CVE-2026-30863Mar 7, 2026
    affected >= 9.0.0-alpha.1, < 9.5.0-alpha.11fixed 9.5.0-alpha.11

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audien

  • CVE-2026-30835Mar 6, 2026
    affected >= 9.0.0, < 9.5.0-alpha.6fixed 9.5.0-alpha.6

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized thro

  • CVE-2026-30229Mar 6, 2026
    affected < 8.6.6fixed 8.6.6

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impe

  • CVE-2026-30228Mar 6, 2026
    affected >= 9.0.0, < 9.5.0-alpha.3fixed 9.5.0-alpha.3

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This

  • CVE-2026-29182Mar 6, 2026
    affected >= 9.0.0, < 9.4.1-alpha.3fixed 9.4.1-alpha.3

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operation

  • CVE-2026-27804Feb 25, 2026
    affected >= 9.0.0, < 9.3.1-alpha.4fixed 9.3.1-alpha.4

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google accou

  • CVE-2025-68150Dec 16, 2025
    affected >= 9.0.0, < 9.1.1-alpha.1fixed 9.1.1-alpha.1

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enable

  • CVE-2025-68115Dec 16, 2025
    affected < 8.6.1fixed 8.6.1

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. Th

  • CVE-2025-64502MedNov 10, 2025
    affected < 8.5.0-alpha.5fixed 8.5.0-alpha.5

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to

  • CVE-2025-64430HigNov 7, 2025
    affected >= 4.2.0, < 7.5.4fixed 7.5.4

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to up

  • CVE-2025-53364MedJul 10, 2025
    affected >= 8.0.0, < 8.2.2fixed 8.2.2

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the maste

  • CVE-2025-30168MedMar 21, 2025
    affected < 7.5.2fixed 7.5.2

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used acros

  • CVE-2024-47183Oct 4, 2024
    affected < 6.5.9fixed 6.5.9

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vul

  • CVE-2024-39309CriJul 1, 2024
    affected < 6.5.7fixed 6.5.7

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection

  • CVE-2024-29027Mar 19, 2024
    affected < 6.5.5fixed 6.5.5

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal

  • CVE-2024-27298Mar 1, 2024
    affected < 6.5.0fixed 6.5.0

    parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.

Page 4 of 6