Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
- Severity:
- High
Description
A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **< 8.6.29 >= 9.0.0-alpha.1, < 9.6.0-alpha.3** Patched version(s): **8.6.29 9.6.0-alpha.3**
References
Related Issues
- Parse Server vulnerable to SQL Injection via dot-notation sub-key name in `Increment` operation on PostgreSQL - CVE-2026-31871
- Parse Server: SQL injection via dot-notation field name in PostgreSQL - CVE-2026-31840
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter - CVE-2026-33539
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on March 11, 2026