13 matches found
BIT-PARSE-2026-50008 Parse Server: Server option routeAllowList is bypassable through batch sub-requests
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as Express...
CVE-2026-50008 Parse Server: Server option routeAllowList is bypassable through batch sub-requests
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.8.0 to before version 9.9.1-alpha.3, the routeAllowList server option restricts external client access to a configured list of REST API routes. The check is only enforced as...
GHSA-775H-3XRC-C228 Parse Server has a rate limit bypass via batch request endpoint
Impact Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle...
Parse Server has a rate limit bypass via batch request endpoint
Impact Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle...
CVE-2026-30972
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...
CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...
CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...
CVE-2026-30972
Parse Server is affected by a rate-limit bypass vulnerability where the /batch endpoint processes sub-requests internally and bypasses the Express middleware rate limiting that protects other endpoints. This allows bundling multiple requests targeting a rate-limited path into a single batch, circ...
CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...
GHSA-Q3J3-W37X-HQ2Q Webcache Poisoning in symfony/http-kernel
Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded- HTTP headers. HTTP headers that are not part of the "trustedheaders" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfo...
Webcache Poisoning in symfony/http-kernel
Description ----------- When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded- HTTP headers. HTTP headers that are not part of the "trustedheaders" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfo...
PT-2021-23228 · Symfony · Symfony Httpkernel
Name of the Vulnerable Software and Affected Versions: Symfony/Http-Kernel versions 5.2 through 5.3.11 Description: The issue arises from the accessibility of the X-Forwarded-Prefix header in sub-requests, even when it is not part of the "trusted headers" allowed list. This allows an attacker to...
CVE-2015-4050: ESI unauthorized access
Affected Versions 2.3.19 - 2.3.28, 2.4.9 - 2.4.10, 2.5.4 - 2.5.11, 2.6.0 - 2.6.7 versions of the Symfony HttpKernel component are affected by this security issue. This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained...