Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Severity:: High

Description

A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): **>= 6.0.0, < 6.2.2 >= 1.0.0, < 5.5.5**
Patched version(s): **6.2.2 5.5.5**

References

GHSA-fcv6-fg5r-jm9q
docs.parseplatform.org
CVE-2023-41058
CWE-670
CAPEC-310
OWASP 2021-A6

Related Issues

Parse Server has a SQL injection via query field name when using PostgreSQL - CVE-2026-32234
Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization - CVE-2026-30850
Parse Server may crash when uploading file without extension - CVE-2023-46119

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on November 05, 2023