npm / parse-server

Parse Server: MFA recovery code single-use bypass via concurrent requests

수정: 2026. 3. 27.

GraphQL: Security breach on Viewer query

수정: 2026. 3. 13.

parse-server new anonymous user session acts as if it's created with password

수정: 2026. 3. 13.

Parse Server before v3.4.1 vulnerable to Denial of Service

수정: 2026. 3. 13.

Parse Server's OAuth2 adapter shares mutable state across providers via singleton instance

수정: 2026. 3. 16.

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

수정: 2023. 12. 6.

receiving subscription objects with deleted session

수정: 2026. 3. 13.

Parse Server exposes auth data via /users/me endpoint

수정: 2026. 3. 27.

Parse Server: Pre-authentication denial of service via client version header regex backtracking

수정: 2026. 6. 12.

Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

수정: 2026. 2. 3.

Parse Server's Cloud function dispatch crashes server via prototype chain traversal

수정: 2026. 3. 20.

Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

수정: 2026. 3. 20.

Parse Server vulnerable to remote code execution via MongoDB BSON parser through prototype pollution

수정: 2023. 12. 6.

Parse Server missing audience validation in Keycloak authentication adapter

수정: 2026. 3. 14.

Parse Server exposes the data schema via GraphQL API

수정: 2025. 7. 16.

Parse Server's MFA recovery codes not consumed after use

수정: 2026. 3. 13.

Parse Server: Account takeover via JWT algorithm confusion in Google auth adapter

수정: 2026. 3. 2.

Parse Server stores password in plain text

수정: 2026. 3. 13.

Incorrect version tags linked to external repository

수정: 2021. 9. 3.

Parse Server has role escalation and CLP bypass via direct `_Join` table write

수정: 2026. 3. 14.

Parse Server: Account takeover via operator injection in authentication data identifier

수정: 2026. 3. 16.

Parse Server leaks protected fields via LiveQuery afterEvent trigger

수정: 2026. 3. 20.

Parse Server has Denial of Service (DoS) and Cloud Function Dispatch Bypass via Prototype Chain Resolution

수정: 2026. 3. 16.

Parse Server session creation endpoint allows overwriting server-generated session fields

수정: 2026. 3. 20.

ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection

수정: 2024. 4. 1.

Parse Server OAuth2 adapter app ID validation sends wrong token to introspection endpoint

수정: 2026. 3. 16.

Server crashes on invalid Cloud Function or Cloud Job name

수정: 2024. 3. 21.

Parse Server LiveQuery subscription query depth bypass

수정: 2026. 3. 30.

Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

수정: 2026. 3. 14.

parse-server's session object properties can be updated by foreign user if object ID is known

수정: 2023. 12. 6.

Parse Server has a protected fields bypass via logical query operators

수정: 2026. 3. 14.

Parse Server has a rate limit bypass via batch request endpoint

수정: 2026. 3. 14.

Parse Server may crash when uploading file without extension

수정: 2023. 12. 6.

parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user

수정: 2026. 3. 16.

Parse Server has a bypass of class-level permissions in LiveQuery

수정: 2026. 3. 14.

Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details

수정: 2025. 11. 13.

Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction

수정: 2026. 3. 14.

LiveQuery publishes user session tokens in parse-server

수정: 2026. 3. 13.

Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes

수정: 2026. 3. 14.

Parse Server LiveQuery subscription with invalid regular expression crashes server

수정: 2026. 3. 20.

Parse Server has an OAuth login vulnerability

수정: 2025. 3. 25.

Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers

수정: 2026. 6. 12.

Sensitive Data Exposure in parse-server

수정: 2026. 3. 13.

Parse Server's custom object ID allows to acquire role privileges

수정: 2024. 10. 8.

Parse Server is vulnerable to Prototype Pollution via Cloud Code Webhooks

수정: 2023. 12. 6.

Parse Server vulnerable to schema poisoning via prototype pollution in deep copy

수정: 2026. 3. 20.

parse-server: Malformed `$regex` query leaks database error details in API response

수정: 2026. 3. 16.

Parse Server has a query condition depth bypass via pre-validation transform pipeline

수정: 2026. 3. 30.

Phishing attack vulnerability by uploading malicious HTML file

수정: 2023. 12. 6.

Parse Server crash via deeply nested query condition operators

수정: 2026. 3. 20.

ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

수정: 2024. 7. 3.

Parse Server has a SQL injection via query field name when using PostgreSQL

수정: 2026. 3. 14.

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API

수정: 2026. 3. 16.

Protected fields exposed via LiveQuery

수정: 2023. 12. 6.

Parse Server has a session field immutability bypass via falsy-value guard

수정: 2026. 4. 6.

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

수정: 2023. 12. 6.

Parse Server's LiveQuery bypasses CLP pointer permission enforcement

수정: 2026. 3. 30.

Parse Server OAuth2 authentication adapter account takeover via identity spoofing

수정: 2026. 3. 14.

Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

수정: 2026. 3. 27.

Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`

수정: 2026. 4. 15.

Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL

수정: 2026. 3. 13.

Parse Server email verification resend page leaks user existence

수정: 2026. 3. 30.

parse-server crashes when receiving file download request with invalid byte range

수정: 2023. 12. 6.

Information disclosure in parse-server

수정: 2026. 3. 13.

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload

수정: 2026. 3. 14.

Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory

수정: 2026. 3. 16.

Parser Server's streaming file download bypasses afterFind file trigger authorization

수정: 2026. 4. 6.

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

수정: 2026. 3. 16.

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

수정: 2026. 3. 14.

Parse Server's Session Update endpoint allows overwriting server-generated session fields

수정: 2026. 3. 30.

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

수정: 2025. 12. 18.

parse-server: MFA SMS one-time password accepted twice under concurrent login

수정: 2026. 5. 14.

LiveQuery protected field leak via shared mutable state across concurrent subscribers

수정: 2026. 4. 6.

Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery

수정: 2026. 3. 16.

parse-server has GraphQL complexity validator exponential fragment traversal DoS

수정: 2026. 4. 6.

Parse Server has a LiveQuery protected-field guard bypass via array-like logical operator value

수정: 2026. 4. 6.

Parse Server has a login timing side-channel reveals user existence

수정: 2026. 4. 15.

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

수정: 2026. 3. 27.

Parse Server's GraphQL WebSocket endpoint bypasses security middleware

수정: 2026. 3. 20.

Command injection in Parse Server through prototype pollution

수정: 2023. 12. 6.

Parse Server has an auth provider validation bypass on login via partial authData

수정: 2026. 3. 30.

Remote code execution via MongoDB BSON parser through prototype pollution

수정: 2023. 12. 6.

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

수정: 2026. 3. 16.

GraphQL API endpoint ignores CORS origin restriction

수정: 2026. 4. 6.

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

수정: 2026. 3. 13.

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

수정: 2026. 3. 16.

Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter

수정: 2023. 12. 6.

Parse Server has a protected field change detection oracle via LiveQuery watch parameter

수정: 2026. 3. 30.

Parse Server: SQL injection via dot-notation field name in PostgreSQL

수정: 2026. 3. 13.

Parse Server has a protected fields bypass via dot-notation in query and sort

수정: 2026. 3. 13.

Parse Server has a password reset token single-use bypass via concurrent requests

수정: 2026. 3. 20.

parse-server auth adapter app ID validation can be circumvented

수정: 2023. 12. 6.

Authentication bypass vulnerability in Apple Game Center auth adapter

수정: 2023. 12. 6.

Parse Server vulnerable to stored XSS via file upload of HTML-renderable file types

수정: 2026. 3. 13.

Parse Server's Cloud Hooks and Cloud Jobs bypass `readOnlyMasterKey` write restriction

수정: 2026. 3. 16.

Parse Server has a NoSQL injection via token type in password reset and email verification endpoints

수정: 2026. 3. 14.

Parse Server option `masterKeyIps` vulnerability to IP spoofing

수정: 2023. 12. 6.

parse-server has cloud function validator bypass via prototype chain traversal

수정: 2026. 4. 6.

Parse Server: File upload Content-Type override via extension mismatch

수정: 2026. 4. 8.

Parse Server vulnerable to user enumeration via email verification endpoint

수정: 2026. 3. 13.