ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability

Description

This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 7.0.0, < 7.1.0

  < 6.5.7**

• Patched version(s): **7.1.0

  6.5.7**

References

• GHSA-c2hr-cqg6-8j6r
• CVE-2024-39309
• CWE-288
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A7

Related Issues

• ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection - CVE-2024-27298
• Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter - CVE-2026-33539
• Parse Server: JWT audience validation bypass in Google, Apple, and Facebook authentication adapters - CVE-2026-30863
• Parse Server: Account takeover via operator injection in authentication data identifier - CVE-2026-32248

You might also like:

How do hackers hack websites?

Exploiting Server Version Disclosure

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:

npm

parse-server