Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
- Severity:
- High
Description
Keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.3.2 < 4.10.19** Patched version(s): **5.3.2 4.10.19**
References
Related Issues
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on August 21, 2023