parse-server crashes when receiving file download request with invalid byte range

Description

Parse Server crashes when a file download request is received with an invalid byte range.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 5.0.0, < 5.2.8

  < 4.10.17**

• Patched version(s): **5.2.8

  4.10.17**

References

• GHSA-h423-w6qv-2wj3
• CVE-2022-39313
• CWE-1284
• CWE-20
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer - CVE-2023-41058
• Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers - CVE-2025-31137
• Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
• Parse Server has an OAuth login vulnerability - CVE-2025-30168

Tags:

npm

parse-server