CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68150 – Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter
https://notcve.org/view.php?id=CVE-2025-68150
16 Dec 2025 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the `apiURL` parameter in `authData`. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. This is fixed in versions 8.6.2 and 9.1.1-alpha.1 by hardcoding the Instagram Graph API URL `https://grap... • https://github.com/parse-community/parse-server/pull/9988 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-68115 – Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables
https://notcve.org/view.php?id=CVE-2025-68115
16 Dec 2025 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available. • https://github.com/parse-community/parse-server/pull/9985 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67727 – Parse Server GitHub CI workflow vulnerable to RCE through Improper Privilege Management
https://notcve.org/view.php?id=CVE-2025-67727
12 Dec 2025 — Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permissions which are defined in the workflow. Code from a fork or lifecycle scripts is potentially included. Only the repository's CI/CD infrastructure is affected, including any public GitHub forks with GitHub Actions enabl... • https://github.com/parse-community/parse-server/commit/6b9f8963cc3debf59cd9c5dfc5422aff9404ce9d • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-269: Improper Privilege Management •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-64502 – Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
https://notcve.org/view.php?id=CVE-2025-64502
10 Nov 2025 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. The MongoDB `explain()` method provides detailed information about query execution plans, including index usage, collection scanning behavior, and performance metrics. Prior to version 8.5.0-alpha.5, Parse Server permits any client to execute explain queries without requiring the master key. This exposes database schema structure and field names, index configurations and query optimization details, query ... • https://github.com/parse-community/parse-server/commit/4456b02280c2d8dd58b7250e9e67f1a8647b3452 • CWE-201: Insertion of Sensitive Information Into Sent Data •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-64430 – Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
https://notcve.org/view.php?id=CVE-2025-64430
07 Nov 2025 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions 4.2.0 through 7.5.3, and 8.0.0 through 8.3.1-alpha.1, there is a Server-Side Request Forgery (SSRF) vulnerability in the file upload functionality when trying to upload a Parse.File with uri parameter, allowing execution of an arbitrary URI. The vulnerability stems from a file upload feature in which Parse Server retrieves the file data from a URI that is provided in the request. A request to ... • https://github.com/parse-community/parse-server/commit/8bbe3efbcf4a3b66f4a8db9bfb18cd98c050db51 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2025-30168 – Parse Server has an OAuth login vulnerability
https://notcve.org/view.php?id=CVE-2025-30168
21 Mar 2025 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 7.5.2 and 8.0.2, the 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, the credentials stored by one app can be used to authenticate the same user in the other app. ... • https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication • CWE-287: Improper Authentication •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-47183 – Parse Server's custom object ID allows to acquire role privileges
https://notcve.org/view.php?id=CVE-2024-47183
04 Oct 2024 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0. • https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg • CWE-285: Improper Authorization •
CVSS: 10.0EPSS: 4%CPEs: 2EXPL: 0CVE-2024-39309 – ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-39309
01 Jul 2024 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A vulnerability in versions prior to 6.5.7 and 7.1.0 allows SQL injection when Parse Server is configured to use the PostgreSQL database. The algorithm to detect SQL injection has been improved in versions 6.5.7 and 7.1.0. No known workarounds are available. Parse Server es un backend de código abierto que se puede implementar en cualquier infraestructura que pueda ejecutar Node.js. • https://github.com/parse-community/parse-server/commit/2edf1e4c0363af01e97a7fbc97694f851b7d1ff3 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 9.0EPSS: 1%CPEs: 2EXPL: 0CVE-2024-29027 – Parse Server crash and RCE via invalid Cloud Function or Cloud Job name
https://notcve.org/view.php?id=CVE-2024-29027
19 Mar 2024 — Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. The patch in versions 6.5.5 and 7.0.0-alpha.29 added string sanitation for Cloud Function name and Cloud Job name. As a workaround, sanitize the Cloud Function name and Cloud Job name bef... • https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27298 – Parse Server literalizeRegexPart SQL Injection
https://notcve.org/view.php?id=CVE-2024-27298
01 Mar 2024 — parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Parse Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the literalizeRegexPart function. • https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •