IA Squad
SearchPT

parse-server

js · parse-serverHeads-up

parse-server: routeAllowList bypassed for batch sub-requests

The `routeAllowList` server option was bypassed for batch sub-requests, allowing external callers to access REST API routes not in

20 Jun 2026 · schedule it
js · parse-serverHeads-up

parse-server: Security bypass in file upload extension blocklist fixed

A security bypass in the default file upload extension blocklist was fixed.

20 Jun 2026 · schedule it
js · parse-serverHeads-up

parse-server: MFA sensitive data exposure on login/verifyPassword when _User get is denied

When MFA is enabled and `get` on `_User` class is denied via CLP, the `/login` and `/verifyPassword` endpoints previously fell bac

20 Jun 2026 · schedule it
js · parse-serverHeads-up

parse-server: $relatedTo now enforces authorization checks

The `$relatedTo` operator in relation queries now enforces authorization checks: the owning object must be readable by the caller

20 Jun 2026 · schedule it
js · parse-serverHeads-up

parse-server: file upload blocklist bypass via content type

Parse Server's file upload extension validation now also evaluates the request content type against the configured blocklist when

20 Jun 2026 · schedule it
js · parse-serverHeads-up

parse-server LiveQuery subscriber authorization verification for object states in leave/enter events

Parse Server LiveQuery now verifies subscriber authorization for object states in leave and enter events.

20 Jun 2026 · schedule it
js · parse-serverCritical

parse-server Denial of Service via Deeply Nested Query Conditions

Parse Server is vulnerable to denial of service via deeply nested query condition operators, causing exponential time complexity.

20 Jun 2026 · act now