GraphQL: Security breach on Viewer query

Severity:: Medium

Description

An authenticated user using the viewer GraphQL query can bypass all read security on his User object and can also bypass all objects linked via relation or Pointer on his User object.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): >= 3.5.0, < 4.3.0
Patched version(s): 4.3.0

References

GHSA-236h-rqv8-8q73
CVE-2020-15126
CWE-863
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

Parse Server affected by denial-of-service via unbounded query complexity in REST and GraphQL API - CVE-2026-30946
Parse Server's GraphQL WebSocket endpoint bypasses security middleware - CVE-2026-32594
Parse Server stores password in plain text - CVE-2020-26288
Parse Server has a protected fields bypass via dot-notation in query and sort - CVE-2026-31872

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on October 26, 2023