ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

Description

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 7.0.0, < 7.1.0

  < 6.5.7**

• Patched version(s): **7.1.0

  6.5.7**

References

• GHSA-c2hr-cqg6-8j6r
• CVE-2024-39309
• CWE-288
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection - CVE-2024-27298
• Parse Server: SQL injection via dot-notation field name in PostgreSQL - CVE-2026-31840
• Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL - CVE-2026-31856
• Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248

Tags:

npm

parse-server