npm / parse-server

Parse Server: MFA recovery code single-use bypass via concurrent requests

Modified: 3/27/2026

GraphQL: Security breach on Viewer query

Modified: 3/13/2026

parse-server new anonymous user session acts as if it's created with password

Modified: 3/13/2026

Parse Server before v3.4.1 vulnerable to Denial of Service

Modified: 3/13/2026

Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance

Modified: 3/16/2026

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Modified: 12/6/2023

receiving subscription objects with deleted session

Modified: 3/13/2026

Parse Server exposes auth data via /users/me endpoint

Modified: 3/27/2026

Parse Server: Pre-authentication denial of service via client version header regex backtracking

Modified: 6/12/2026

Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

Modified: 2/3/2026

Parse Server's Cloud function dispatch crashes server via prototype chain traversal

Modified: 3/20/2026

Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Modified: 3/20/2026

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

Modified: 12/6/2023

Parse Server missing audience validation in Keycloak authentication adapter

Modified: 3/14/2026

Parse Server exposes the data schema via GraphQL API

Modified: 7/16/2025

Parse Server's MFA recovery codes not consumed after use

Modified: 3/13/2026

Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

Modified: 3/2/2026

Parse Server stores password in plain text

Modified: 3/13/2026

Incorrect version tags linked to external repository

Modified: 9/3/2021

Parse Server has role escalation and CLP bypass via direct `_Join` table write

Modified: 3/14/2026

Parse Server: Account takeover via operator injection in authentication data identifier

Modified: 3/16/2026

Parse Server leaks protected fields via LiveQuery afterEvent trigger

Modified: 3/20/2026

Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

Modified: 3/16/2026

Parse Server session creation endpoint allows overwriting server-generated session fields

Modified: 3/20/2026

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

Modified: 4/1/2024

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

Modified: 3/16/2026

Server crashes on invalid Cloud Function or Cloud Job name

Modified: 3/21/2024

Parse Server LiveQuery subscription query depth bypass

Modified: 3/30/2026

Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

Modified: 3/14/2026

parse-server's session object properties can be updated by foreign user if object ID is known

Modified: 12/6/2023

Parse Server has a protected fields bypass via logical query operators

Modified: 3/14/2026

Parse Server has a rate limit bypass via batch request endpoint

Modified: 3/14/2026

Parse Server may crash when uploading file without extension

Modified: 12/6/2023

parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

Modified: 3/16/2026

Parse Server has a bypass of class-level permissions in LiveQuery

Modified: 3/14/2026

Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details

Modified: 11/13/2025

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

Modified: 3/14/2026

LiveQuery publishes user session tokens in parse-server

Modified: 3/13/2026

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

Modified: 3/14/2026

Parse Server LiveQuery subscription with invalid regular expression crashes server

Modified: 3/20/2026

Parse Server has an OAuth login vulnerability

Modified: 3/25/2025

Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers

Modified: 6/12/2026

Sensitive Data Exposure in parse-server

Modified: 3/13/2026

Parse Server's custom object ID allows to acquire role privileges

Modified: 10/8/2024

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

Modified: 12/6/2023

Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

Modified: 3/20/2026

parse-server: Malformed `$regex` query leaks database error details in API response

Modified: 3/16/2026

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Modified: 3/30/2026

Phishing attack vulnerability by uploading malicious HTML file

Modified: 12/6/2023

Parse Server crash via deeply nested query condition operators

Modified: 3/20/2026

ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

Modified: 7/3/2024

Parse Server has a SQL injection via query field name when using PostgreSQL

Modified: 3/14/2026

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

Modified: 3/16/2026

Protected fields exposed via LiveQuery

Modified: 12/6/2023

Parse Server has a session field immutability bypass via falsy-value guard

Modified: 4/6/2026

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Modified: 12/6/2023

Parse Server's LiveQuery bypasses CLP pointer permission enforcement

Modified: 3/30/2026

Parse Server OAuth2 authentication adapter account takeover via identity spoofing

Modified: 3/14/2026

Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

Modified: 3/27/2026

Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

Modified: 4/15/2026

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

Modified: 3/13/2026

Parse Server email verification resend page leaks user existence

Modified: 3/30/2026

parse-server crashes when receiving file download request with invalid byte range

Modified: 12/6/2023

Information disclosure in parse-server

Modified: 3/13/2026

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload

Modified: 3/14/2026

Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

Modified: 3/16/2026

Parser Server's streaming file download bypasses afterFind file trigger authorization

Modified: 4/6/2026

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Modified: 3/16/2026

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Modified: 3/14/2026

Parse Server's Session Update endpoint allows overwriting server-generated session fields

Modified: 3/30/2026

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Modified: 12/18/2025

parse-server: MFA SMS one-time password accepted twice under concurrent login

Modified: 5/14/2026

LiveQuery protected field leak via shared mutable state across concurrent subscribers

Modified: 4/6/2026

Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery

Modified: 3/16/2026

parse-server has GraphQL complexity validator exponential fragment traversal DoS

Modified: 4/6/2026

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value

Modified: 4/6/2026

Parse Server has a login timing side-channel reveals user existence

Modified: 4/15/2026

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

Modified: 3/27/2026

Parse Server's GraphQL WebSocket endpoint bypasses security middleware

Modified: 3/20/2026

Command injection in Parse Server through prototype pollution

Modified: 12/6/2023

Parse Server has an auth provider validation bypass on login via partial authData

Modified: 3/30/2026

Remote code execution via MongoDB BSON parser through prototype pollution

Modified: 12/6/2023

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Modified: 3/16/2026

GraphQL API endpoint ignores CORS origin restriction

Modified: 4/6/2026

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Modified: 3/13/2026

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Modified: 3/16/2026

Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter

Modified: 12/6/2023

Parse Server has a protected field change detection oracle via LiveQuery watch parameter

Modified: 3/30/2026

Parse Server: SQL injection via dot-notation field name in PostgreSQL

Modified: 3/13/2026

Parse Server has a protected fields bypass via dot-notation in query and sort

Modified: 3/13/2026

Parse Server has a password reset token single-use bypass via concurrent requests

Modified: 3/20/2026

parse-server auth adapter app ID validation can be circumvented

Modified: 12/6/2023

Authentication bypass vulnerability in Apple Game Center auth adapter

Modified: 12/6/2023

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types

Modified: 3/13/2026

Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

Modified: 3/16/2026

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints

Modified: 3/14/2026

Parse Server option `masterKeyIps` vulnerability to IP spoofing

Modified: 12/6/2023

parse-server has cloud function validator bypass via prototype chain traversal

Modified: 4/6/2026

Parse Server: File upload Content-Type override via extension mismatch

Modified: 4/8/2026

Parse Server vulnerable to user enumeration via email verification endpoint

Modified: 3/13/2026