GHSA-3534-xp88-25rc

Suggest an improvement
Source
https://github.com/advisories/GHSA-3534-xp88-25rc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3534-xp88-25rc/GHSA-3534-xp88-25rc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3534-xp88-25rc
Aliases
Published
2026-02-25T18:59:58Z
Modified
2026-02-25T19:25:20.182751Z
Severity
  • 8.3 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N CVSS Calculator
Summary
Parse Dashboard is Missing CSRF Protection for its Agent Endpoint
Details

Impact

The AI Agent API endpoint (POST /apps/:appId/agent) lacks CSRF protection. An attacker can craft a malicious page that, when visited by an authenticated dashboard user, submits requests to the agent endpoint using the victim's session.

Patches

The fix adds CSRF middleware to the agent endpoint and embeds a CSRF token in the dashboard page.

Workarounds

Remove the agent configuration block from your dashboard configuration. Dashboards without an agent config are not affected.

Resources

  • GitHub advisory: https://github.com/parse-community/parse-dashboard/security/advisories/GHSA-3534-xp88-25rc
  • Fixed in: https://github.com/parse-community/parse-dashboard/releases/tag/9.0.0-alpha.8
Database specific 
{
    "github_reviewed_at": "2026-02-25T18:59:58Z",
    "nvd_published_at": "2026-02-25T03:16:05Z",
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-352"
    ],
    "github_reviewed": true
}
References

Affected packages

npm / parse-dashboard

Package

Name
parse-dashboard
View open source insights on deps.dev
Purl
pkg:npm/parse-dashboard

Affected ranges

Type
SEMVER
Events
Introduced
7.3.0-alpha.42
Fixed
9.0.0-alpha.8

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-3534-xp88-25rc/GHSA-3534-xp88-25rc.json"