pkg:npm/parse-server

108 total CVEsCRITICAL8HIGH20MEDIUM15LOW2

✅ Check your installed version

All known vulnerabilities

  • CRITICAL10.0CVE-2026-30966Parse Server role escalation and CLP bypass via direct `_Join` table write
    >= 9.0.0-alpha.1, < 9.5.2-alpha.7
  • CRITICAL10.0CVE-2024-27298Parse Server literalizeRegexPart SQL Injection
    from 0, < 6.5.0
  • CRITICAL10.0CVE-2022-24760Command Injection in Parse server
    from 0, < 4.10.7
  • CRITICAL9.8CVE-2024-39309ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
    from 0, < 6.5.7
  • CRITICAL9.8CVE-2023-36475Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution
    from 0, < 5.5.2
  • CRITICAL9.8CVE-2022-39396Parse Server vulnerable to Remote Code Execution via prototype pollution in MongoDB BSON parser
    from 0, < 4.10.18
  • CRITICAL9.1CVE-2026-33409Parse Server has an auth provider validation bypass on login via partial authData
    >= 9.0.0, < 9.6.0-alpha.41
  • CRITICAL9.0CVE-2024-29027Parse Server crash and RCE via invalid Cloud Function or Cloud Job name
    from 0, < 6.5.5
  • HIGH8.7CVE-2023-22474Parse Server is vulnerable to authentication bypass via spoofing
    from 0, < 5.4.1
  • HIGH8.6CVE-2022-36079Parse Server vulnerable to brute force guessing of user sensitive data via search patterns
    from 0, < 4.10.14
  • HIGH8.6CVE-2022-31083Authentication bypass in Parse Server Apple Game Center auth adapter
    from 0, < 4.10.11
  • HIGH8.2CVE-2022-31112Protected fields exposed via LiveQuery in parse-server
    from 0, < 4.10.13
  • HIGH8.1CVE-2024-47183Parse Server's custom object ID allows to acquire role privileges
    from 0, < 6.5.9
  • HIGH7.7CVE-2020-26288Parse Server stores password in plain text
    from 0, < 4.5.0
  • HIGH7.7CVE-2020-5251Information disclosure in parse-server
    from 0, < 4.1.0
  • HIGH7.5CVE-2026-33508Parse Server LiveQuery subscription query depth bypass
    >= 9.0.0, < 9.6.0-alpha.45
  • HIGH7.5CVE-2026-33498Parse Server has a query condition depth bypass via pre-validation transform pipeline
    >= 9.0.0, < 9.6.0-alpha.44
  • HIGH7.5CVE-2025-64430Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
    >= 4.2.0, < 7.5.4
  • HIGH7.5CVE-2023-46119Parse Server may crash when uploading file without extension
    >= 1.0.0, < 5.5.6
  • HIGH7.5CVE-2023-41058Trigger `beforeFind` not invoked in internal query pipeline in parse-server
    >= 1.0.0, < 5.5.5
  • HIGH7.5CVE-2022-39313Parse Server crashes when receiving file download request with invalid byte range
    from 0, < 4.10.17
  • HIGH7.5CVE-2022-31089Invalid file request can crashe parse-server
    from 0, < 4.10.12
  • HIGH7.5CVE-2022-24901Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
    from 0, < 4.10.10
  • HIGH7.5CVE-2021-41109LiveQuery publishes user session tokens in parse-server
    from 0, < 4.10.4
  • HIGH7.5CVE-2021-39187Parse Server crashes with query parameter
    from 0, < 4.10.3
  • HIGH7.5CVE-2019-1020012Parse Server before v3.4.1 vulnerable to Denial of Service
    from 0, < 3.4.1
  • HIGH7.2CVE-2022-41879Parse Server subject to Prototype pollution via Cloud Code Webhooks
    from 0, < 4.10.20
  • HIGH7.2CVE-2022-41878Parse Server Prototype pollution and Injection via Cloud Code Webhooks or Cloud Code Triggers
    from 0, < 4.10.19
  • MEDIUM6.9CVE-2025-30168Parse Server has an OAuth login vulnerability
    from 0, < 7.5.2
  • MEDIUM6.5CVE-2026-33421Parse Server's LiveQuery bypasses CLP pointer permission enforcement
    >= 9.0.0, < 9.6.0-alpha.42
  • MEDIUM6.5CVE-2020-15126GraphQL: Security breach on Viewer query
    >= 3.5.0, < 4.3.0
  • MEDIUM6.3CVE-2023-32689Parse Server vulnerable to phishing attack vulnerability that involves uploading malicious HTML file
    from 0, < 5.4.4
  • MEDIUM5.9CVE-2026-32770Parse Server LiveQuery subscription with invalid regular expression crashes server
    >= 9.0.0, < 9.6.0-alpha.19
  • MEDIUM5.3CVE-2026-33429Parse Server has a protected field change detection oracle via LiveQuery watch parameter
    >= 9.0.0, < 9.6.0-alpha.43
  • MEDIUM5.3CVE-2026-33323Parse Server email verification resend page leaks user existence
    >= 9.0.0, < 9.6.0-alpha.40
  • MEDIUM5.3CVE-2025-53364Parse Server exposes the data schema via GraphQL API
    >= 8.0.0, < 8.2.2
  • MEDIUM5.3CVE-2019-1020013Sensitive Data Exposure in parse-server
    from 0, < 3.6.0
  • MEDIUM4.8CVE-2021-39138parse-server new anonymous user session acts as if it's created with password
    from 0, < 4.5.2
  • MEDIUM4.3CVE-2026-39381Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
    >= 9.0.0, < 9.8.0-alpha.7
  • MEDIUM4.3CVE-2026-33527Parse Server's Session Update endpoint allows overwriting server-generated session fields
    >= 9.0.0, < 9.6.0-alpha.48
  • MEDIUM4.3CVE-2026-32742Parse Server session creation endpoint allows overwriting server-generated session fields
    >= 9.0.0, < 9.6.0-alpha.17
  • MEDIUM4.3CVE-2022-39225Parse Server subject to Incorrect Resource Transfer Between Spheres
    from 0, < 4.10.15
  • MEDIUM4.3CVE-2020-15270receiving subscription objects with deleted session
    from 0, < 4.4.0
  • LOW3.7CVE-2026-39321Parse Server has a login timing side-channel reveals user existence
    >= 9.0.0, < 9.8.0-alpha.6
  • LOW3.7CVE-2022-39231Parse Server subject to Improper Authentication allowing Auth adapter app ID validation to be circumvented
    from 0, < 4.10.16
  • CVE-2026-47248Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
    >= 9.0.0, < 9.9.1-alpha.2
  • CVE-2026-47138Parse Server: Pre-authentication denial of service via client version header regex backtracking
    >= 9.0.0, < 9.9.1-alpha.1
  • CVE-2026-43930parse-server: MFA SMS one-time password accepted twice under concurrent login
    >= 9.0.0, < 9.9.0-alpha.2
  • CVE-2026-35200Parse Server: File upload Content-Type override via extension mismatch
    >= 9.0.0, < 9.7.1-alpha.4
  • CVE-2026-34784Parser Server's streaming file download bypasses afterFind file trigger authorization
    >= 9.0.0, < 9.7.1-alpha.1
  • CVE-2026-34595Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value
    >= 9.0.0, < 9.7.0-alpha.16
  • CVE-2026-34574Parse Server has a session field immutability bypass via falsy-value guard
    >= 9.0.0, < 9.7.0-alpha.14
  • CVE-2026-34573parse-server has GraphQL complexity validator exponential fragment traversal DoS
    >= 9.0.0, < 9.7.0-alpha.12
  • CVE-2026-34532parse-server has cloud function validator bypass via prototype chain traversal
    >= 9.0.0, < 9.7.0-alpha.11
  • CVE-2026-34373GraphQL API endpoint ignores CORS origin restriction
    >= 9.0.0, < 9.7.0-alpha.10
  • CVE-2026-34363LiveQuery protected field leak via shared mutable state across concurrent subscribers
    >= 9.0.0, < 9.7.0-alpha.9
  • CVE-2026-34224Parse Server has an MFA single-use token bypass via concurrent authData login requests
    >= 9.0.0, < 9.7.0-alpha.8
  • CVE-2026-34215Parse Server exposes auth data via verify password endpoint
    >= 9.0.0, < 9.7.0-alpha.7
  • CVE-2026-33627Parse Server exposes auth data via /users/me endpoint
    >= 9.0.0, < 9.6.0-alpha.55
  • CVE-2026-33624Parse Server: MFA recovery code single-use bypass via concurrent requests
    >= 9.0.0, < 9.6.0-alpha.54
  • CVE-2026-33539Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter
    >= 9.0.0, < 9.6.0-alpha.53
  • CVE-2026-33538Parse Server: Denial of Service via unindexed database query for unconfigured auth providers
    >= 9.0.0, < 9.6.0-alpha.52
  • CVE-2026-33163Parse Server leaks protected fields via LiveQuery afterEvent trigger
    >= 9.0.0, < 9.6.0-alpha.35
  • CVE-2026-33042Parse Server affected by empty authData bypassing credential requirement on signup
    >= 9.0.0, < 9.6.0-alpha.29
  • CVE-2026-32878Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
    >= 9.0.0, < 9.6.0-alpha.20
  • CVE-2026-32886Parse Server's Cloud function dispatch crashes server via prototype chain traversal
    >= 9.0.0, < 9.6.0-alpha.24
  • CVE-2026-32943Parse Server has a password reset token single-use bypass via concurrent requests
    >= 9.0.0, < 9.6.0-alpha.28
  • CVE-2026-32944Parse Server crash via deeply nested query condition operators
    >= 9.0.0, < 9.6.0-alpha.21
  • CVE-2026-32728Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries
    >= 9.0.0, < 9.6.0-alpha.15
  • CVE-2026-32594Parse Server's GraphQL WebSocket endpoint bypasses security middleware
    >= 9.0.0, < 9.6.0-alpha.14
  • CVE-2026-32269Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint
    >= 9.0.0, < 9.6.0-alpha.13
  • CVE-2026-32248Parse Server: Account takeover via operator injection in authentication data identifier
    >= 9.0.0, < 9.6.0-alpha.12
  • CVE-2026-32242Parse Server OAuth2 adapter shares mutable state across providers via singleton instance
    >= 9.0.0, < 9.6.0-alpha.11
  • CVE-2026-32234Parse Server has a SQL injection via query field name when using PostgreSQL
    >= 9.0.0, < 9.6.0-alpha.10
  • CVE-2026-32098Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause
    >= 9.0.0, < 9.6.0-alpha.9
  • CVE-2026-31901Parse Server vulnerable to user enumeration via email verification endpoint
    >= 9.0.0-alpha.1, < 9.6.0-alpha.8
  • CVE-2026-31875Parse Server's MFA recovery codes not consumed after use
    >= 9.0.0-alpha.1, < 9.6.0-alpha.7
  • CVE-2026-31872Parse Server has a protected fields bypass via dot-notation in query and sort
    >= 9.0.0-alpha.1, < 9.6.0-alpha.6
  • CVE-2026-31871Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL
    >= 9.0.0-alpha.1, < 9.6.0-alpha.5
  • CVE-2026-31868Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types
    >= 9.0.0-alpha.1, < 9.6.0-alpha.4
  • CVE-2026-31856Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
    >= 9.0.0-alpha.1, < 9.6.0-alpha.3
  • CVE-2026-31828Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction
    >= 9.0.0-alpha.1, < 9.5.2-alpha.13
  • CVE-2026-31800Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
    >= 9.0.0-alpha.1, < 9.5.2-alpha.12
  • CVE-2026-30972Parse Server has a rate limit bypass via batch request endpoint
    >= 9.0.0-alpha.1, < 9.5.2-alpha.10
  • CVE-2026-30967Parse Server OAuth2 authentication adapter account takeover via identity spoofing
    >= 9.0.0-alpha.1, < 9.5.2-alpha.9
  • CVE-2026-30965Parse Server session token exfiltration via `redirectClassNameForKey` query parameter
    >= 9.0.0-alpha.1, < 9.5.2-alpha.8
  • CVE-2026-30962Parse Server has a protected fields bypass via logical query operators
    >= 9.0.0, < 9.5.2-alpha.6
  • CVE-2026-30949Parse Server is missing audience validation in Keycloak authentication adapter
    >= 9.0.0, < 9.5.2-alpha.5
  • CVE-2026-30948Parse Server has stored cross-site scripting (XSS) via SVG file upload
    >= 9.0.0, < 9.5.2-alpha.4
  • CVE-2026-30947Parse Server ha a bypass of class-level permissions in LiveQuery
    >= 9.0.0, < 9.5.2-alpha.3
  • CVE-2026-30946Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API
    from 0, < 8.6.15
  • CVE-2026-30941Parse Server has a NoSQL injection via token type in password reset and email verification endpoints
    >= 9.0.0, < 9.5.2-alpha.1
  • CVE-2026-31840Parse Server: SQL injection via dot-notation field name in PostgreSQL
    >= 9.0.0, < 9.6.0-alpha.2
  • CVE-2026-30939Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution
    from 0, < 8.6.13
  • CVE-2026-30938Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
    from 0, < 8.6.12
  • CVE-2026-30925Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
    >= 9.0.0-alpha.1, < 9.5.0-alpha.14
  • CVE-2026-30863Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters
    >= 9.0.0-alpha.1, < 9.5.0-alpha.11
  • CVE-2026-30854Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled
    >= 9.3.1-alpha.3, < 9.5.0-alpha.10
  • CVE-2026-30850Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
    from 0, < 8.6.9
  • CVE-2026-30848Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
    from 0, < 8.6.8
  • CVE-2026-30835parse-server: Malformed `$regex` query leaks database error details in API response
    >= 9.0.0, < 9.5.0-alpha.6
  • CVE-2026-30229parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
    from 0, < 8.6.6
  • CVE-2026-30228parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
    >= 9.0.0, < 9.5.0-alpha.3
  • CVE-2026-29182Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction
    >= 9.0.0, < 9.4.1-alpha.3
  • CVE-2026-27804Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter
    >= 9.0.0, < 9.3.1-alpha.4
  • CVE-2025-68150Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter
    >= 9.0.0, < 9.1.1-alpha.1
  • CVE-2025-68115Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables
    from 0, < 8.6.1
  • CVE-2025-64502Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
    from 0, < 8.5.0-alpha.5