Description
The setPassword method (http://parseplatform.org/Parse-SDK-JS/api/2.9.1/Parse.User.html#setPassword) stores the user’s password in localStorage as raw text making it vulnerable to anyone with access to your localStorage. We believe this is the only time that password is stored at all.
Recommendation
Update the parse package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.10.0
- Patched version(s): 2.10.0
References
Related Issues
- Gatsby develop server has Local File Inclusion vulnerability - CVE-2023-34238
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- jsPDF has Local File Inclusion/Path Traversal vulnerability - CVE-2025-68428
- parse-server: MFA SMS one-time password accepted twice under concurrent login - CVE-2026-43930
You might also like:
- Tags:
- npm
- parse
Anything's wrong? Let us know Last updated on January 09, 2023


