Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer
- Severity:
- High
Description
A Parse Pointer can be used to access internal Parse Server classes. It can also be used to circumvent the beforeFind query trigger which can be an additional vulnerability for deployments where the beforeFind trigger is used as a security layer to modify an incoming query.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 6.0.0, < 6.2.2 >= 1.0.0, < 5.5.5** Patched version(s): **6.2.2 5.5.5**
References
Related Issues
- Parse Server may crash when uploading file without extension - CVE-2023-46119
- When setting EntityOptions.apiPrefilter to a function, the filter is not applied to API requests for a resource by Id - CVE-2023-35167
- parse-server crashes when receiving file download request with invalid byte range - CVE-2022-39313
- GraphQL: Security breach on Viewer query - CVE-2020-15126
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on November 05, 2023