1612 matches found
CVE-2023-32689
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing attack vulnerability that involves a user uploading malicious files. A malicious user could upload an HTML file to Parse Server vi...
CVE-2023-36475
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 5.5.2 and 6.2.1, an attacker can use a prototype pollution sink to trigger a remote code execution through the MongoDB BSON parser. A patch is available in versions 5.5.2 and...
CVE-2022-39225
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. For example, an attacker can assign th...
CVE-2022-39231
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 4.10.16, or from 5.0.0 to 5.2.6, validation of the authentication adapter app ID for Facebook and Spotify may be circumvented. Configurations which allow users to...
CVE-2021-41109
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version 4.10.4, for regular non-LiveQuery queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscriptio...
CVE-2021-39138
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Developers can use the REST API to signup users and also allow users to login anonymously. Prior to version 4.5.1, when an anonymous user is first signed up using REST, the server creates sessi...
CVE-2020-15270
Parse Server npm package parse-server broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens. The issue is not...
CVE-2019-1020013
parse-server before 3.6.0 allows account enumeration...
CVE-2019-1020012
parse-server before 3.4.1 allows DoS after any POST to a volatile class...
The vulnerability of the `parse_server_interfaces()` function in the `fs/smb/client/smb2ops.c` module allows a hacker to compromise the integrity of protected information or cause service failures for the SMB kernel client of the Linux operating system.
The vulnerability of the parseserverinterfaces function in the fs/smb/client/smb2ops.c module, which is part of the SMB client support in Linux operating systems, involves a numerical port escape or cyclic shift vulnerability. Exploiting this vulnerability could allow an attacker to compromise th...
Authentication Credential Reuse
parse-server is vulnerable to Authentication Credential Reuse. The vulnerability is due to improper isolation of authentication credentials, allowing them to be shared across multiple Parse Server apps using the same third-party authentication provider...
BIT-PARSE-2025-30168 Parse Server has an OAuth login vulnerability
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse...
CVE-2025-30168
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse...
@bigegg/parse-server-schema-config (>=1.0.5 <=1.0.10), @kontaa/subgraph (>=1.0.1 <=1.2.3) +25 more potentially affected by CVE-2025-30168 via parse-server (>=2.0.8 <=6.5.11)
parse-server NPM version =2.0.8, =1.0.5, =1.0.1, =1.2.1, =2.4.46, =2.4.8, =1.0.0, =1.0.0, =1.0.1, =0.1.1, =0.0.2, =1.0.0, =0.1.0, =0.1.7, =0.0.1, =0.0.29 - parse-cli-server2 =0.0.30 and more Source cves: CVE-2025-30168 Source advisory: OSV:GHSA-837Q-JHWX-CMPV...
GHSA-837Q-JHWX-CMPV Parse Server has an OAuth login vulnerability
Impact The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, th...
Parse Server has an OAuth login vulnerability
Impact The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, th...
CVE-2025-30168
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse...
CVE-2025-30168 Parse Server has an OAuth login vulnerability
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse...
CVE-2025-30168
CVE-2025-30168 affects Parse Server versions prior to 7.5.2 and 8.0.2, where 3rd‑party authentication handling could allow credentials from one app to be used in another when the same provider is used. This may enable cross‑app authentication for users of specific providers configured via an affe...
CVE-2025-30168 Parse Server has an OAuth login vulnerability
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse...