Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers
- Severity:
- High
Description
Keywords that are specified in the Parse Server option requestKeywordDenylist can be injected via Cloud Code Webhooks or Triggers. This will result in the keyword being saved to the database, bypassing the requestKeywordDenylist option.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.3.2 < 4.10.19** Patched version(s): **5.3.2 4.10.19**
References
Related Issues
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on August 21, 2023