CVE-2022-39396

Parse Server is vulnerable to Remote Code Execution via prototype pollution in the MongoDB BSON parser. Affected are versions prior to 4.10.18, and prior to 5.3.1 on the 5.X branch. The issue is fixed in 4.10.18 and in 5.3.1; there are no known workarounds."

CVE-2022-24760

The set of connected sources confirms CVE-2022-24760 is a real vulnerability in Parse Server (pre-4.10.7) caused by prototype pollution in DatabaseController.js, enabling Remote Code Execution with default MongoDB configurations on Linux/Windows. Impact is described as RCE (high severity) with a ...

CVE-2022-24901

CVE-2022-24901 describes an authentication bypass and potential denial of service in the Apple Game Center authentication adapter used by parse-server. The root cause is improper validation of the Apple certificate URL, enabling bypassing authentication and exposing the server to DoS. The publish...

CVE-2022-39225

Parse Server contains a vulnerability (CVE-2022-39225) where a user can write to another user’s session object if the session object ID is known, potentially reading custom fields. The issue affects older releases prior to 4.10.15 and 5.0.0–5.2.6, with patches in 4.10.15+ and 5.2.6+. Mitigation g...

CVE-2024-27298

CVE-2024-27298 affects parse-server (Parse Server for Node.js/Express) when configured with PostgreSQL. The underlying issue is a SQL injection in the server’s PostgreSQL handling. The vulnerability has been fixed in versions 6.5.0 and 7.0.0-alpha.20. Affected products/versions per sources includ...

CVE-2022-31089

CVE-2022-31089 affects Parse Server (Node.js backend). The vulnerability arises from improper handling of certain invalid file requests, which can crash the server. Impact: availability can be high for a single instance, lower for clustered setups. The issue has been fixed in versions 4.10.12 and...

CVE-2022-31083

Parse Server vulnerability CVE-2022-31083 affects the Apple Game Center auth adapter. Prior to versions 4.10.11 and 5.2.2, the certificate in this adapter was not validated, potentially allowing authentication bypass by supplying a forged certificate via certain Apple domains and an authData URL....

CVE-2021-39138

Parse Server prior to v4.5.1 incorrectly classifies anonymous sessions as password-created when first signing up via REST, due to the createdWith value in _Session. This affects only developers who rely on createdWith for access control; the vulnerability is fixed in 4.5.1. The recommended workar...

CVE-2022-41878

Parse Server contains a prototype pollution vulnerability (CVE-2022-41878) where keywords defined in the requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers, allowing them to be saved to the database and bypass the denylist. Affected versions are prior to 4.10.19 or 5.3.2; ...

CVE-2022-31112

Parse Server LiveQuery vulnerability (CVE-2022-31112): protected fields in classes were exposed to clients because LiveQueryController failed to strip them. The issue affects Parse Server LiveQuery; the fix is implemented by removing protected fields from client responses in the updated controlle...

CVE-2023-36475

Parse Server is affected by a prototype pollution vulnerability that enables remote code execution through the MongoDB BSON parser. The issue occurs in affected builds prior to 5.5.2 and 6.2.1, where a prototype pollution sink can be exploited to trigger RCE. A patch is available in versions 5.5....

CVE-2020-26288

CVE-2020-26288 (Parse Server) affects the parse-server npm package prior to version 4.5.0. In those versions, user passwords involved in LDAP authentication are stored in cleartext, creating a risk of exposure. The issue is resolved in version 4.5.0, which fixes the vulnerability by stripping the...

CVE-2023-22474

Parse Server (Node.js backend) is affected by CVE-2023-22474 due to trusting the client IP from the x-forwarded-for header when not behind a proxy, allowing bypass of the masterKeyIps security check. The issue has been fixed in version 5.4.1, where IP address determination was rewritten and the t...

CVE-2021-39187

CVE-2021-39187 affects Parse Server prior to 4.10.3. The vulnerability arises from the MongoDB Node.js driver: when a query request contains an invalid value for the explain option, the driver throws an exception that Parse Server cannot catch, causing a crash. A patch exists in Parse Server 4.10...

CVE-2024-29027

Parse Server vulnerability CVE-2024-29027 affects versions prior to 6.5.5 and 7.0.0-alpha.29, where calling an invalid Cloud Function name or Cloud Job name can crash the server and may allow code injection, internal store manipulation, or remote code execution. The fix was implemented in 6.5.5 a...

CVE-2022-36079

CVE-2022-36079 affects Parse Server. Internal/protected fields (prefixed with '_') can be used as query constraints, and before fixes users could enumerate these fields to elicit a response object. This vulnerability existed prior to patches in versions 4.10.14 and 5.2.5, which require the master...

CVE-2022-39313

Parse Server is affected by a Denial of Service when handling a file download request with an invalid byte range. The issue occurs in versions prior to 4.10.17 and, on the 5.x branch, prior to 5.2.8, where such requests crash the server. Patches are available in v4.10.17 and v5.2.8. No workaround...

CVE-2023-41058

Parse Server fixed a vulnerability where the Cloud trigger beforeFind was not invoked under certain Parse.Query conditions. The issue could bypass the security layer provided by beforeFind. The fix refactored the internal query pipeline and added a patch to ensure beforeFind is invoked. The fix w...

CVE-2020-5251

CVE-2020-5251 affects parse-server prior to version 4.1.0. An insecure regex in NoSQL queries on the _sessionToken (and related token[$regex]) can disclose information by enumerating user objects, enabling an attacker to identify valid accounts. This is a information-disclosure flaw rather than r...

CVE-2021-41109

CVE-2021-41109 refers to a vulnerability in Parse Server where, before version 4.10.4, LiveQuery payloads leaked session tokens for users with a LiveQuery subscription on the Parse.User class. The root cause is that LiveQuery payloads included session tokens while regular queries did not. The adv...

CVE-2022-41879

Parse Server is affected by a prototype pollution vulnerability in Cloud Code Webhook targets. In versions prior to 5.3.3 and 4.10.20, an attacker can exploit a compromised Cloud Code Webhook endpoint to bypass the server’s requestKeywordDenylist, enabling prototype pollution with potentially hig...

CVE-2022-39231

Parse Server vulnerable versions prior to 4.10.16 and 5.0.0–5.2.6 expose an authentication bypass flaw in the Facebook/Spotify adapters where appIds configured as a string (instead of an array) can let requests from a different app ID slip through. The root cause is improper validation of the ada...

CVE-2019-1020012

CVE-2019-1020012 affects parse-server prior to 3.4.1 and enables a Denial of Service after POSTing to a volatile class (e.g., /parse/classes/_Audience). Several sources confirm the vulnerability and patch: the public advisory notes that subsequent POST requests can yield a 500 Internal Server Err...

CVE-2023-32689

Parse Server (Node.js) versions prior to 5.4.4 and 6.1.1 are vulnerable to a phishing-style flaw where a user can upload an HTML file via the public API, making that HTML accessible under the hosting domain for phishing use. The vulnerability is compounded by the Parse JavaScript SDK, which store...

CVE-2019-1020013

CVE-2019-1020013 affects parse-server prior to 3.6.0, allowing unauthenticated users to enumerate existing accounts via error messages. The root cause is information disclosure during authentication/account linking flow, where specific errors reveal account existence (ParseError.ACCOUNT_ALREADY_L...

CVE-2024-47183

Summary: Parse Server vulnerability CVE-2024-47183 arises when allowCustomObjectId: true is enabled. An attacker allowed to create a new user can set a custom object ID and thereby acquire privileges of a specific role. This is mitigated by fixed versions 6.5.9 and 7.3.0. What’s affected: Parse S...

CVE-2026-30938

Parse Server is affected by GHSA-Q342-9W2P-57FP, a vulnerability in the denylist keyword scan. The issue arises in the requestKeywordDenylist scanner: if a nested object/array appears before a prohibited keyword, the scanner exits prematurely, allowing bypass of the denylist. All deployments are ...

CVE-2026-31856

CVE-2026-31856 affects Parse Server PostgreSQL storage adapter. The vulnerability allows SQL injection via Increment on nested object fields (e.g., stats.counter) where the amount is interpolated into the SQL query without parameterization, enabling reading data and bypassing CLPs/ACLs. MongoDB d...

CVE-2026-30966

Parse Server prior to 9.5.2-alpha.7 and 8.6.20 is vulnerable: internal tables backing Relation field mappings are accessible via REST/GraphQL using only the application key, allowing any client to create/read/update/delete records in relation tables and potentially inject themselves into any Pars...

CVE-2026-32234

Parse Server vulnerability CVE-2026-32234 affects deployments using PostgreSQL. A crafted field name in a $regex query constraint can be interpolated into SQL when an attacker has master-key access, bypassing the Parse Server layer and enabling database-level SQL injection. Affected versions are ...

CVE-2026-32742

CVE-2026-32742 affects Parse Server. Before versions 9.6.0-alpha.17 and 8.6.42, an authenticated user could overwrite server-generated session fields (sessionToken, expiresAt, createdWith) when creating a session via POST /classes/_Session, potentially bypassing session expiration and predicting ...

CVE-2026-31871

Parse Server has a SQL injection vulnerability in the PostgreSQL storage adapter during Increment operations on nested object fields (dot notation, e.g., stats.counter). The sub-key name is interpolated into SQL literals without escaping, enabling an attacker who can submit REST API write request...

CVE-2026-34215

Parse Server exposes sensitive authentication data via the verifyPassword endpoint. Affected versions are before 8.6.63 and 9.7.0-alpha.7. The endpoint returns unsanitized data including MFA TOTP secrets, recovery codes, and OAuth access tokens, enabling an attacker who knows a user’s password to...

CVE-2026-30863

CVE-2026-30863 affects Parse Server through its Google, Apple, and Facebook authentication adapters. If the adapter’s audience option (clientId for Google/Apple, appIds for Facebook) is not configured, the JWT verification process does not validate the audience claim, enabling an attacker to pres...

CVE-2026-30947

Parse Server (with LiveQuery) is affected by CVE-2026-30947 where class-level permissions (CLP) are not enforced for LiveQuery subscriptions in older releases. An unauthenticated or unauthorized client could subscribe to any LiveQuery-enabled class and receive real-time events for all objects, by...

CVE-2026-31840

CVE-2026-31840 affects Parse Server (Node.js backend) deployed with PostgreSQL. The issue is a SQL injection via dot-notation field names used with the sort, distinct, or where query parameters, due to improper escaping of sub-field values. Affected versions are prior to 9.6.0-alpha.2 and 8.6.28;...

CVE-2026-32943

Parse Server prior to versions 9.6.0-alpha.28 and 8.6.48 did not enforce single-use for password-reset tokens, allowing a token to be consumed by concurrent requests. An attacker with an intercepted token could race a legitimate reset request, potentially changing a target account’s password. Sta...

CVE-2025-68150

CVE-2025-68150 affects Parse Server where the Instagram OAuth adapter allows an attacker to supply a custom apiURL in authData, enabling Server-Side Request Forgery (SSRF) and potentially authentication bypass by hitting malicious endpoints. Root cause: client-provided apiURL is not validated and...

CVE-2026-30228

Parse Server is affected where the readOnlyMasterKey is used with the Files API (POST /files/:filename, DELETE /files/:filename). Prior to versions 8.6.5 and 9.5.0-alpha.3, this could bypass the read-only restriction, allowing an attacker with the readOnlyMasterKey to upload arbitrary files or de...

CVE-2026-30946

Parse Server is affected by a denial-of-service due to unbounded query complexity in REST and GraphQL APIs. Unauthenticated attackers can exhaust resources (CPU, memory, database connections) via crafted queries, affecting all deployments using REST/GraphQL prior to 9.5.2-alpha.2 and 8.6.15. The ...

CVE-2026-33508

Parse Server’s LiveQuery WebSocket subscription processing is vulnerable to a query depth bypass due to not enforcing the requestComplexity.queryDepth setting before versions 8.6.56 and 9.6.0-alpha.45. An attacker can submit a subscription with deeply nested logical operators, triggering recursio...

CVE-2026-43930

CVE-2026-43930 affects Parse Server. A race condition in the MFA SMS OTP login path before 8.6.76 and 9.9.0-alpha.2 can allow two concurrent /login requests carrying the same OTP to succeed, producing two valid session tokens. Impact is breaking single-use OTP; attacker must already know the vict...

CVE-2026-30949

CVE-2026-30949 affects Parse Server deployments using the Keycloak authentication adapter. The issue is that the azp (authorized party) claim in Keycloak access tokens is not validated against the configured client-id, enabling a valid token from one client to authenticate as any user on Parse Se...

CVE-2026-33498

CVE-2026-33498 affects Parse Server (Node.js). Before versions 8.6.55 and 9.6.0-alpha.44, an unauthenticated HTTP request with a deeply nested query containing logical operators can permanently hang the server process, rendering it unresponsive and requiring manual restart. This is a bypass of th...

CVE-2026-34224

CVE-2026-34224 affects Parse Server (Node.js backend). A flaw in the authData login flow lets an attacker with a valid provider token and a single MFA recovery code or SMS OTP create multiple authenticated sessions by issuing concurrent login requests, defeating the single-use MFA guarantee and p...

CVE-2026-34573

Parse Server exposes a denial-of-service when the GraphQL query complexity validator is enabled (requestComplexity.graphQLDepth or requestComplexity.graphQLFields). In versions prior to 8.6.68 and 9.7.0-alpha.12, a crafted query using binary fan-out fragment spreads can block the Node.js event lo...

CVE-2026-35200

Parse Server has a Content-Type mismatch vulnerability in file uploads: if a filename extension passes the allowlist but the Content-Type header differs (e.g., .txt with text/html), the Content-Type is forwarded to storage adapters (such as S3 or GCS) and served as-is. Affected versions are prior...

CVE-2026-30229

CVE-2026-30229 affects Parse Server. The readOnlyMasterKey could call POST /loginAs to obtain a valid session token, allowing impersonation of arbitrary users with full read/write access. Impact applies to any deployment using readOnlyMasterKey. The issue is resolved in Parse Server releases 8.6....

CVE-2026-30848

Parse Server’s PagesRouter is vulnerable to a path traversal issue prior to versions 8.6.8 and 9.5.0-alpha.8. The boundary check uses a string prefix comparison without enforcing a directory separator boundary, enabling unauthenticated access to files outside the configured pagesPath by traversal...

CVE-2026-30925

CVE-2026-30925 affects Parse Server with LiveQuery enabled. A crafted $regex subscription can cause catastrophic backtracking in JavaScript regex evaluation on the Node.js event loop, blocking the server and making the entire deployment unresponsive. This impacts all clients for affected deployme...