Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-2m6g-crv8-p3c6

GitHub Security Advisory

Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

✓ GitHub Reviewed HIGH Has CVE
View on GitHub

Advisory Details

### Impact

Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object.

### Patches

The patch requires the master key to use internal and protected fields as query constraints.

### Workarounds

Implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints, such as:

```js
Parse.Cloud.beforeFind('TestObject', ({ query }) => {
for (const key in query._where || []) {
// Repeat logic for protected fields
if (key.charAt(0) === '_') {
delete query._where[key];
}
}
});
```

### References

- https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6

Affected Packages

npm parse-server
Affected versions: 0 (fixed in 4.10.14)
npm parse-server
Affected versions: 5.0.0 (fixed in 5.2.5)

Related CVEs

CVE-2022-36079

Key Information

GHSA ID
GHSA-2m6g-crv8-p3c6
Published
September 16, 2022 9:17 PM
Last Modified
September 21, 2022 7:21 PM
CVSS Score
7.5 /10
Primary Ecosystem
npm
Primary Package
parse-server
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.