Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
- Severity:
- High
Description
A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.2.2 >= 1.0.0, < 5.5.5** Patched version(s): **6.2.2 5.5.5**
References
Related Issues
- Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
- Parse Server may crash when uploading file without extension - CVE-2023-46119
- When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id - CVE-2023-35167
- Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 05, 2023