Security Advisories · parse-community/parse-server · GitHub

Security Advisories

View known security vulnerabilities and report new vulnerabilities privately to maintainers.

Report a vulnerability

Parse Server allows public `explain` query which may expose sensitive database performance information and schema details
GHSA-7cx5-254x-cgrq published Nov 8, 2025 by mtrezza

Moderate
Server-Side Request Forgery (SSRF) in File Upload via URI Format
GHSA-x4qj-2f4q-r4rx published Nov 5, 2025 by mtrezza

High
Data schema exposed via GraphQL API public introspection
GHSA-48q3-prgv-gm4w published Jul 10, 2025 by mtrezza

Moderate
Custom object ID allows to acquire role privileges
GHSA-8xq9-g7ch-35hg published Oct 4, 2024 by mtrezza

Critical
ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability
GHSA-c2hr-cqg6-8j6r published Jun 30, 2024 by mtrezza

Critical
Server crash when uploading file without extension
GHSA-792q-q67h-w579 published Oct 20, 2023 by mtrezza

High
Parse Pointer allows to access internal Parse Server classes and circumvent `beforeFind` query trigger
GHSA-fcv6-fg5r-jm9q published Sep 4, 2023 by mtrezza

High
ZDI-CAN-19105: Parse Server literalizeRegexPart SQL Injection
GHSA-6927-3vr9-fxf2 published Mar 1, 2024 by mtrezza

Critical
Server crashes on invalid Cloud Function or Cloud Job name
GHSA-6hh7-46r2-vf29 published Mar 19, 2024 by mtrezza

Critical
ZDI-CAN-19904: Remote code execution via MongoDB BSON parser through prototype pollution
GHSA-462x-c3jw-7vr6 published Jun 28, 2023 by mtrezza

Critical