parse-server@2.0.4 vulnerabilities

An express module providing a Parse-compatible API server

Direct Vulnerabilities

Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Improper Input Validation

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Input Validation for Cloud Function names and Cloud Job names. Exploiting this vulnerability allows an attacker to cause a denial of service or execute arbitrary code by sending a specially crafted request.

How to fix Improper Input Validation?

Upgrade parse-server to version 6.5.5, 7.0.0-alpha.29 or higher.

<6.5.5 >=7.0.0-alpha.1 <7.0.0-alpha.29
  • C
SQL Injection

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to SQL Injection via a malicious PostgreSQL statement containing multiple quoted strings. This vulnerability is only present when the PostgreSQL engine is in use.

How to fix SQL Injection?

Upgrade parse-server to version 6.5.0, 7.0.0-alpha.20 or higher.

<6.5.0 >=7.0.0-alpha.1 <7.0.0-alpha.20
  • H
Uncontrolled Resource Consumption ('Resource Exhaustion')

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the file upload function. An attacker can cause the server to crash by uploading a file without an extension.

How to fix Uncontrolled Resource Consumption ('Resource Exhaustion')?

Upgrade parse-server to version 5.5.6, 6.3.1 or higher.

>=1.0.0 <5.5.6 >=6.0.0 <6.3.1
  • H
Access Restriction Bypass

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Access Restriction Bypass via the beforeFind trigger in the Parse Cloud. An attacker can bypass security layers and modify incoming queries by exploiting certain conditions in Parse.Query. This is only exploitable if the beforeFind trigger is used as a security layer to modify the incoming query.

How to fix Access Restriction Bypass?

Upgrade parse-server to version 5.5.5, 6.2.2 or higher.

>=1.0.0 <5.5.5 >=6.0.0 <6.2.2
  • C
Prototype Pollution

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution in the MongoDB BSON parser, which allows attackers to execute code on the affected system.

How to fix Prototype Pollution?

Upgrade parse-server to version 5.5.2, 6.2.1 or higher.

<5.5.2 >=6.0.0-alpha.1 <6.2.1
  • M
Arbitrary File Upload

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Arbitrary File Upload such that a malicious user could upload an HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the uploaded HTML could be shared for phishing attacks. The HTML page may seem legitimate because it is served under the internet domain where Parse Server is hosted, which may be the same as a company's official website domain.

Note:

An additional security issue arises when the Parse JavaScript SDK is used. The SDK stores sessions in the internet browser's local storage, which usually restricts data access depending on the internet domain. A malicious HTML file could contain a script that retrieves the user's session token from local storage and then share it with the attacker.

How to fix Arbitrary File Upload?

Upgrade parse-server to version 5.5.0, 6.2.0 or higher.

<5.5.0 >=6.0.0 <6.2.0
  • H
Authentication Bypass

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass due to insufficient checks in the mechanism used to determine the client's IP address.

How to fix Authentication Bypass?

Upgrade parse-server to version 5.4.1 or higher.

<5.4.1
  • H
Prototype Pollution

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution such that a compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server requestKeywordDenylist option.

How to fix Prototype Pollution?

Upgrade parse-server to version 4.10.20, 5.3.3 or higher.

<4.10.20 >=5.0.0 <5.3.3
  • H
Prototype Pollution

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution such that keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.

How to fix Prototype Pollution?

Upgrade parse-server to version 4.10.19, 5.3.2 or higher.

<4.10.19 >=5.0.0 <5.3.2
  • C
Prototype Pollution

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution due to insufficient validation checks which can allow an attacker to trigger remote code execution.

How to fix Prototype Pollution?

Upgrade parse-server to version 4.10.18, 5.3.1 or higher.

<4.10.18 >=5.0.0 <5.3.1
  • H
Denial of Service (DoS)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) when receiving a file download request with an invalid byte range.

How to fix Denial of Service (DoS)?

Upgrade parse-server to version 4.10.17, 5.2.8 or higher.

<4.10.17 >=5.0.0 <5.2.8
  • M
Authentication Bypass

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass where the session object properties can be updated by a foreign user if the object ID is known.

How to fix Authentication Bypass?

Upgrade parse-server to version 4.10.15, 5.2.6 or higher.

<4.10.15 >=5.0.0 <5.2.6
  • L
Improper Authentication

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Authentication when the server-side authentication adapter configuration appIds is set as a string instead of an array of strings. The vulnerability makes it possible to authenticate requests coming from a Facebook or Spotify app with a different app ID than the one specified in the appIds configuration.

Note: This vulnerability affects environments with configurations that allow users to authenticate using the Parse Server authentication adapter for Facebook or Spotify.

How to fix Improper Authentication?

Upgrade parse-server to version 4.10.16, 5.2.7 or higher.

<4.10.16 >=5.0.0 <5.2.7
  • M
Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure via internal fields (keys used internally by Parse Server, prefixed by _) and user-defined protected fields used as query constraints. An attacker can exploit this vulnerability by brute force and enumerating the time until Parse Server returns a response object.

How to fix Information Exposure?

Upgrade parse-server to version 4.10.14, 5.2.5 or higher.

<4.10.14 >=5.0.0 <5.2.5
  • H
Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure because the LiveQueryController does not remove protected fields in classes, passing them to the client.

How to fix Information Exposure?

Upgrade parse-server to version 4.10.13, 5.2.4 or higher.

<4.10.13 >=5.0.0 <5.2.4
  • H
Denial of Service (DoS)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to certain types of invalid files requests are not handled properly.

Note: If you are running multiple Parse Server instances in a cluster, the availability impact may be low. If you are running Parse Server as a single instance without redundancy, the availability impact may be high.

How to fix Denial of Service (DoS)?

Upgrade parse-server to version 4.10.12, 5.2.3 or higher.

<4.10.12 >=5.0.0 <5.2.3
  • C
Authentication Bypass

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass due to missing validation of certificates from Apple Game Center. Thus, authentication could potentially be bypassed by making a fake certificate accessible via certain Apple domains and providing the URL to that certificate in an authData object.

How to fix Authentication Bypass?

Upgrade parse-server to version 4.10.11, 5.2.2 or higher.

<4.10.11 >=5.0.0 <5.2.2
  • H
Authentication Bypass

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Authentication Bypass due to a weak validation of the Apple certificate URL in the Apple Game Center authentication adapter which allows attackers to make DoS attacks.

How to fix Authentication Bypass?

Upgrade parse-server to version 4.10.10, 5.2.1 or higher.

<4.10.10 >=5.0.0 <5.2.1
  • C
Prototype Pollution

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Prototype Pollution in DatabaseController.js, which may lead to an RCE.

How to fix Prototype Pollution?

Upgrade parse-server to version 4.10.7 or higher.

<4.10.7
  • H
Improper Authentication

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Authentication. For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.

How to fix Improper Authentication?

Upgrade parse-server to version 4.10.4 or higher.

<4.10.4
  • H
Denial of Service (DoS)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS). It crashes if a query request contains an invalid value for the explain option. This is due to a bug in the MongoDB Node.js driver which throws an exception that Parse Server cannot catch.

How to fix Denial of Service (DoS)?

Upgrade parse-server to version 4.10.3 or higher.

<4.10.3
  • M
Information Exposure

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Information Exposure. When an anonymous user is first signed up using REST, the server creates session incorrectly. Particularly, the authProvider field in _Session class under createdWith shows the user logged in creating a password. If a developer later depends on the createdWith field to provide a different level of access between a password user and anonymous user, the server incorrectly classified the session type as being created with a password. The server does not currently use createdWith to make decisions about internal functions, so if a developer is not using createdWith directly, they are not affected. The vulnerability only affects users who depend on createdWith by using it directly.

How to fix Information Exposure?

Upgrade parse-server to version 4.5.1 or higher.

<4.5.1
  • M
Operation on a Resource after Expiration or Release

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release. It broadcasts events to all clients without checking if the session token is valid. This allows clients with expired sessions to still receive subscription objects. It is not possible to create subscription objects with invalid session tokens.

How to fix Operation on a Resource after Expiration or Release?

Upgrade parse-server to version 4.4.0 or higher.

<4.4.0
  • H
Improper Input Validation

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Improper Input Validation. It is possible to fetch all the users' objects, by using regex for sessionToken in the NoSQL query: {"_SessionToken":{"$regex":"r:027f"}}. In addition, it is possible to verify someone else's account by simply using regex in the token param: http://localhost:1337/parse/apps/kickbox/verify_email?token[$regex]=a&username=some@email.com.

How to fix Improper Input Validation?

Upgrade parse-server to version 4.1.0 or higher.

<4.1.0
  • M
Account Enumeration

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Account Enumeration. ParseError.ACCOUNT_ALREADY_LINKED(208) is thrown before the AuthController checks the password and throws a ParseError.SESSION_MISSING(206) for Insufficient auth. An attacker can guess ids and get information about linked accounts and email addresses.

How to fix Account Enumeration?

Upgrade parse-server to version 3.6.0 or higher.

<3.6.0
  • H
Denial of Service (DoS)

parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

Affected versions of this package are vulnerable to Denial of Service (DoS). If a POST request is made to /parse/classes/_Audience (or other volatile class), any subsuquent POST requests result in an internal server error (500).

How to fix Denial of Service (DoS)?

Upgrade parse-server to version 3.4.1 or higher.

<3.4.1