HIGH 7.5

GHSA-2479-qvv7-47qq

Parse Server before v3.4.1 vulnerable to Denial of Service

Details

### Impact

If a POST request is made to /parse/classes/_Audience (or other volatile class), any subsuquent POST requests result in an internal server error (500).

### Patches Afflicted installations will also have to remove the offending collection from their database.

Yes, patched in 3.4.1

### Workarounds

Yes, user can apply: https://github.com/parse-community/parse-server/commit/8709daf698ea69b59268cb66f0f7cee75b52daa5

### References Nothing other than this advisory at this time

### For more information If you have any questions or comments about this advisory: * Open an issue in [parse-server](https://github.com/parse-community/parse-server) * Email us at [security@parseplatform.org](mailto:security@parseplatform.org)

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / parse-server

Introduced in: 0 Fixed in: 3.4.1

Fix npm install parse-server@3.4.1

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-2479-qvv7-47qq [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2019-1020012 [ADVISORY]
https://github.com/advisories/GHSA-2479-qvv7-47qq [ADVISORY]
https://github.com/parse-community/parse-server [PACKAGE]
https://snyk.io/vuln/SNYK-JS-PARSESERVER-455635 [WEB]
https://www.npmjs.com/advisories/1113 [WEB]