BIT-parse-2026-30835

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2026-30835.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-parse-2026-30835
Aliases
Published
2026-03-11T15:48:54.398Z
Modified
2026-03-13T10:41:21.995109Z
Summary
Parse Server: Malformed `$regex` query leaks database error details in API response
Details

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerability is exploitable by any client that can send query requests, depending on the deployment's permission configuration. This issue has been patched in versions 8.6.7 and 9.5.0.

Database specific
{
    "cpes": [
        "cpe:2.3:a:parseplatform:parse-server:*:*:*:*:*:node.js:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / parse

Package

Name
parse
Purl
pkg:bitnami/parse

Severity

  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.5.0

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/parse/BIT-parse-2026-30835.json"