npm package
parse-server
pkg:npm/parse-server
Vulnerabilities (106)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-30925 | — | >= 9.0.0-alpha.1, < 9.5.0-alpha.14 | 9.5.0-alpha.14 | Mar 9, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js ev | ||
| CVE-2026-30854 | — | >= 9.3.1-alpha.3, < 9.5.0-alpha.10 | 9.5.0-alpha.10 | Mar 7, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __t | ||
| CVE-2026-30850 | — | < 8.6.9 | 8.6.9 | Mar 7, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these t | ||
| CVE-2026-30848 | — | < 8.6.8 | 8.6.8 | Mar 7, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outsi | ||
| CVE-2026-30863 | — | >= 9.0.0-alpha.1, < 9.5.0-alpha.11 | 9.5.0-alpha.11 | Mar 7, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audien | ||
| CVE-2026-30835 | — | >= 9.0.0, < 9.5.0-alpha.6 | 9.5.0-alpha.6 | Mar 6, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized thro | ||
| CVE-2026-30229 | — | < 8.6.6 | 8.6.6 | Mar 6, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impe | ||
| CVE-2026-30228 | — | >= 9.0.0, < 9.5.0-alpha.3 | 9.5.0-alpha.3 | Mar 6, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This | ||
| CVE-2026-29182 | — | >= 9.0.0, < 9.4.1-alpha.3 | 9.4.1-alpha.3 | Mar 6, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operation | ||
| CVE-2026-27804 | — | >= 9.0.0, < 9.3.1-alpha.4 | 9.3.1-alpha.4 | Feb 25, 2026 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google accou | ||
| CVE-2025-68150 | — | >= 9.0.0, < 9.1.1-alpha.1 | 9.1.1-alpha.1 | Dec 16, 2025 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enable | ||
| CVE-2025-68115 | — | < 8.6.1 | 8.6.1 | Dec 16, 2025 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. Th | ||
| CVE-2025-64502 | Med | — | < 8.5.0-alpha.5 | 8.5.0-alpha.5 | Nov 10, 2025 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to | |
| CVE-2025-64430 | Hig | 7.5 | >= 4.2.0, < 7.5.4 | 7.5.4 | Nov 7, 2025 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to up | |
| CVE-2025-53364 | Med | 5.3 | >= 8.0.0, < 8.2.2 | 8.2.2 | Jul 10, 2025 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the maste | |
| CVE-2025-30168 | Med | 6.9 | < 7.5.2 | 7.5.2 | Mar 21, 2025 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used acros | |
| CVE-2024-47183 | — | < 6.5.9 | 6.5.9 | Oct 4, 2024 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vul | ||
| CVE-2024-39309 | Cri | 9.8 | < 6.5.7 | 6.5.7 | Jul 1, 2024 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection | |
| CVE-2024-29027 | — | < 6.5.5 | 6.5.5 | Mar 19, 2024 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal | ||
| CVE-2024-27298 | — | < 6.5.0 | 6.5.0 | Mar 1, 2024 | parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20. |
- CVE-2026-30925Mar 9, 2026affected >= 9.0.0-alpha.1, < 9.5.0-alpha.14fixed 9.5.0-alpha.14
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js ev
- CVE-2026-30854Mar 7, 2026affected >= 9.3.1-alpha.3, < 9.5.0-alpha.10fixed 9.5.0-alpha.10
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __t
- CVE-2026-30850Mar 7, 2026affected < 8.6.9fixed 8.6.9
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these t
- CVE-2026-30848Mar 7, 2026affected < 8.6.8fixed 8.6.8
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outsi
- CVE-2026-30863Mar 7, 2026affected >= 9.0.0-alpha.1, < 9.5.0-alpha.11fixed 9.5.0-alpha.11
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audien
- CVE-2026-30835Mar 6, 2026affected >= 9.0.0, < 9.5.0-alpha.6fixed 9.5.0-alpha.6
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized thro
- CVE-2026-30229Mar 6, 2026affected < 8.6.6fixed 8.6.6
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impe
- CVE-2026-30228Mar 6, 2026affected >= 9.0.0, < 9.5.0-alpha.3fixed 9.5.0-alpha.3
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This
- CVE-2026-29182Mar 6, 2026affected >= 9.0.0, < 9.4.1-alpha.3fixed 9.4.1-alpha.3
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operation
- CVE-2026-27804Feb 25, 2026affected >= 9.0.0, < 9.3.1-alpha.4fixed 9.3.1-alpha.4
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google accou
- CVE-2025-68150Dec 16, 2025affected >= 9.0.0, < 9.1.1-alpha.1fixed 9.1.1-alpha.1
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enable
- CVE-2025-68115Dec 16, 2025affected < 8.6.1fixed 8.6.1
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. Th
- affected < 8.5.0-alpha.5fixed 8.5.0-alpha.5
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to
- affected >= 4.2.0, < 7.5.4fixed 7.5.4
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to up
- affected >= 8.0.0, < 8.2.2fixed 8.2.2
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the maste
- affected < 7.5.2fixed 7.5.2
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used acros
- CVE-2024-47183Oct 4, 2024affected < 6.5.9fixed 6.5.9
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vul
- affected < 6.5.7fixed 6.5.7
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection
- CVE-2024-29027Mar 19, 2024affected < 6.5.5fixed 6.5.5
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal
- CVE-2024-27298Mar 1, 2024affected < 6.5.0fixed 6.5.0
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.
Page 4 of 6