js · parse-serverHeads-up
parse-server: routeAllowList bypassed for batch sub-requests
The `routeAllowList` server option was bypassed for batch sub-requests, allowing external callers to access REST API routes not in the allow-list via batch requests.
What changed
The `routeAllowList` server option was bypassed for batch sub-requests, allowing external callers to access REST API routes not in the allow-list via batch requests. The fix re-enforces the allow-list check for each batch sub-request.
Who it affects
Operators using Parse Server v9.8.0 or later who have configured `routeAllowList` and allowlisted the `batch` route.
What to do today
Upgrade to the patched version or apply the workaround by explicitly including all intended inner routes in the allow-list.
The trail
Collected→
Audited→
Written→
Published