Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
- Severity:
- High
Description
A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.2.2 >= 1.0.0, < 5.5.5** Patched version(s): **6.2.2 5.5.5**
References
Related Issues
- parse-server crashes when receiving file download request with invalid byte range - CVE-2022-39313
- Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers - CVE-2025-31137
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 05, 2023