132 matches found
EUVD-2026-10436
Parse Server has Regular Expression Denial of Service ReDoS via $regex query in LiveQuery...
EUVD-2026-10437
Parse Server has Regular Expression Denial of Service ReDoS via $regex query in LiveQuery...
GHSA-MF3J-86QX-CQ5J Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Impact A malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The...
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Impact A malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The...
Parse Server 安全漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.5.2-alpha.3 and 8.6.16 contain security vulnerabilities. These vulnerabilities stem from the lack of enforceable class-level...
PT-2026-24425
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.3 Parse Server versions prior to 8.6.16 Description Parse Server, an open-source backend deployable on Node.js infrastructures, is susceptible to a flaw where class-level permissions CLP are not...
CVE-2026-30925 Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This...
CVE-2026-30925 Parse Server affected by Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This...
PT-2026-24151
Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.0-alpha.14 Parse Server versions prior to 8.6.11 Description A crafted $regex pattern within a LiveQuery subscription can cause catastrophic backtracking, blocking the Node.js event loop and rendering the...
CVE-2022-31112
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
EUVD-2021-2005
Malware in sbrugna...
EUVD-2022-6325
Malicious code in bioql PyPI...
CVE-2021-41109
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...
BIT-PARSE-2021-41109 LiveQuery publishes user session tokens
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...
BIT-PARSE-2022-31112 Protected fields exposed via LiveQuery in parse-server
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
Protected fields exposed via LiveQuery
Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. Patches The LiveQueryController now removes protected fields from the client response. Workarounds Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields. References -...
GHSA-CRRQ-VR9J-FXXH Protected fields exposed via LiveQuery
Impact Parse Server LiveQuery does not remove protected fields in classes, passing them to the client. Patches The LiveQueryController now removes protected fields from the client response. Workarounds Use Parse.Cloud.afterLiveQueryEvent to manually remove protected fields. References -...
CVE-2022-31112
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
Design/Logic Flaw
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...
CVE-2022-31112 Protected fields exposed via LiveQuery in parse-server
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client respons...