Parse Security Vulnerabilities
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation....
9CVSS
9.3AI Score
0.0004EPSS
parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and...
10CVSS
9.7AI Score
0.0004EPSS
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast...
7.5CVSS
7.3AI Score
0.003EPSS
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time...
7.5CVSS
8.3AI Score
0.003EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server crashes when uploading a file without extension. This vulnerability has been patched in versions 5.5.6 and...
7.5CVSS
7.3AI Score
0.001EPSS
Parse Server is an open source backend server. In affected versions the Parse Cloud trigger beforeFind is not invoked in certain conditions of Parse.Query. This can pose a vulnerability for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The...
7.5CVSS
7.5AI Score
0.001EPSS
The package parse-link-header before 2.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the checkHeader...
7.5CVSS
7.4AI Score
0.002EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client...
8.2CVSS
8AI Score
0.002EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.17, and prior to 5.2.8 on the 5.x branch, crash when a file download request is received with an invalid byte range, resulting in a Denial of Service. This issue has been.....
7.5CVSS
7.3AI Score
0.001EPSS
easy-parse v0.1.1 was discovered to contain a XML External Entity Injection (XXE) vulnerability which allows attackers to execute arbitrary code via a crafted XML...
7.5CVSS
7.8AI Score
0.001EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...
9.8CVSS
9.6AI Score
0.161EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 4.10.11 and 5.2.2, the certificate in the Parse Server Apple Game Center auth adapter not validated. As a result, authentication could potentially be bypassed by making a fake.....
8.6CVSS
7.2AI Score
0.001EPSS
The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758...
7.5CVSS
7.3AI Score
0.001EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server via....
6.5CVSS
6.2AI Score
0.001EPSS
parse-server-push-adapter is the official Push Notification adapter for Parse Server. The Parse Server Push Adapter can crash Parse Server due to an invalid push notification payload. This issue has been patched in version...
7.5CVSS
7.4AI Score
0.003EPSS
url-parse before 1.5.0 mishandles certain uses of backslash such as http:/ and interprets the URI as a relative...
5.3CVSS
5.4AI Score
0.002EPSS
5.3CVSS
5.3AI Score
0.001EPSS
5.3CVSS
5.3AI Score
0.001EPSS
9.8CVSS
9.1AI Score
0.003EPSS
9.1CVSS
8.9AI Score
0.002EPSS
5.3CVSS
5.3AI Score
0.001EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Parse Server uses the request header x-forwarded-for to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server...
8.7CVSS
7.8AI Score
0.001EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.2 or 4.10.19, keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the.....
9.8CVSS
9.1AI Score
0.002EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 5.3.3 or 4.10.20, a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server...
9.8CVSS
9.3AI Score
0.002EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch, are vulnerable to Remote Code Execution via prototype pollution. An attacker can use this prototype pollution sink to trigger a...
9.8CVSS
9.7AI Score
0.005EPSS
deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the 'proto' property to be...
5.3CVSS
5.2AI Score
0.001EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...
3.7CVSS
4AI Score
0.001EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign the....
4.3CVSS
3.7AI Score
0.001EPSS
6.1CVSS
6.1AI Score
0.001EPSS
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to...
9.1CVSS
9.2AI Score
0.002EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by _) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse...
8.6CVSS
7.4AI Score
0.002EPSS
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to...
7.3CVSS
7.1AI Score
0.001EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions certain types of invalid files requests are not handled properly and can crash the server. If you are running multiple Parse Server instances in a cluster, the availability.....
7.5CVSS
7.4AI Score
0.001EPSS
Cross-site Scripting (XSS) - Stored in GitHub repository ionicabizau/parse-url prior to...
6.1CVSS
5.9AI Score
0.001EPSS
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to...
9.8CVSS
9.5AI Score
0.002EPSS
Cross-site Scripting (XSS) - Generic in GitHub repository ionicabizau/parse-url prior to...
6.1CVSS
5.9AI Score
0.001EPSS
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository ionicabizau/parse-url prior to...
7.5CVSS
7.3AI Score
0.001EPSS
Improper validation of the Apple certificate URL in the Apple Game Center authentication adapter allows attackers to bypass authentication, making the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding additional checks of the resource the....
7.5CVSS
7.1AI Score
0.001EPSS
Parse Server is an open source http web server backend. In versions prior to 4.10.7 there is a Remote Code Execution (RCE) vulnerability in Parse Server. This vulnerability affects Parse Server in the default configuration with MongoDB. The main weakness that leads to RCE is the Prototype...
10CVSS
9.4AI Score
0.081EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery...
7.5CVSS
7.4AI Score
0.001EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.3, Parse Server crashes when if a query request contains an invalid value for the explain option. This is due to a bug in the MongoDB Node.js driver which throws an...
7.5CVSS
7.4AI Score
0.002EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the server creates...
6.5CVSS
6.3AI Score
0.001EPSS
An issue was discovered in the parse_duration crate through 2021-03-18 for Rust. It allows attackers to cause a denial of service (CPU and memory consumption) via a duration string with a large...
7.5CVSS
7.2AI Score
0.001EPSS
This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the...
5.3CVSS
5.1AI Score
0.003EPSS
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. It is an npm package "parse-server". In Parse Server before version 4.5.0, user passwords involved in LDAP authentication are stored in cleartext. This is fixed in version 4.5.0 by stripping...
7.7CVSS
6.4AI Score
0.001EPSS
Parse Server (npm package parse-server) broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not.....
4.3CVSS
4.4AI Score
0.001EPSS
In parser-server from version 3.5.0 and before 4.3.0, an authenticated user using the viewer GraphQL query can by pass all read security on his User object and can also by pass all objects linked via relation or Pointer on his User...
6.5CVSS
6.4AI Score
0.001EPSS
In parser-server before version 4.1.0, you can fetch all the users objects, by using regex in the NoSQL query. Using the NoSQL, you can use a regex on sessionToken and find valid accounts this...
7.7CVSS
5.1AI Score
0.001EPSS
Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security...
5.3CVSS
5.4AI Score
0.001EPSS
7.5CVSS
7.3AI Score
0.001EPSS