📦 Parse Server

This CVE describes a GitHub Actions workflow vulnerability in Parse Server that grants elevated permissions to CI/CD pipelines. It allows unauthorized access to GitHub secrets and write permissions, p...

This SQL injection vulnerability in parse-server allows attackers to execute arbitrary SQL commands when the server is configured with PostgreSQL. It affects all parse-server deployments using Postgre...

This vulnerability in Parse Server allows attackers to perform prototype pollution attacks that can lead to remote code execution through the MongoDB BSON parser. Any Parse Server deployment prior to ...

CVE-2022-24760 is a critical Remote Code Execution vulnerability in Parse Server caused by prototype pollution in DatabaseController.js. It allows attackers to execute arbitrary code on affected serve...

Parse Server versions before 6.5.9 and 7.3.0 with allowCustomObjectId enabled are vulnerable to privilege escalation. An attacker who can create new users can set custom object IDs to gain unauthorize...

Parse Server crashes when processing file uploads without file extensions, causing denial of service. This affects all Parse Server deployments running vulnerable versions, potentially disrupting back...

Parse Server deployments using the beforeFind Cloud Code trigger as a security layer are vulnerable to query manipulation bypass. This allows attackers to potentially access data they shouldn't have p...

Parse Server versions before 5.4.1 incorrectly trust the x-forwarded-for header to determine client IP addresses when not behind a proxy. This allows attackers to spoof their IP address, potentially b...

Parse Server LiveQuery improperly exposes protected fields to clients, allowing unauthorized access to sensitive data. This affects all Parse Server deployments using LiveQuery functionality with prot...

Parse Server versions before 4.10.12 and 5.2.3 crash when processing certain invalid file requests, causing denial of service. This affects all Parse Server deployments, with single-instance deploymen...

Parse Server's Apple Game Center authentication adapter had a certificate validation flaw that allowed attackers to bypass authentication by providing a fake certificate URL. This affects all Parse Se...

This vulnerability allows attackers to bypass authentication in Parse Server's Apple Game Center adapter by exploiting improper URL validation of Apple certificates. Attackers can potentially gain una...

Parse Server versions before 4.10.4 expose user session tokens in LiveQuery payloads when users subscribe to Parse.User class updates. This allows attackers to capture session tokens during user sign-...

Parse Server's Instagram authentication adapter allows attackers to specify custom API URLs, enabling Server-Side Request Forgery (SSRF) attacks. This could lead to authentication bypass if malicious ...

Parse Server versions before 8.6.1 and 9.1.0-alpha.3 contain a reflected cross-site scripting (XSS) vulnerability in password reset and email verification pages. Attackers can inject malicious scripts...