GHSA-p2x3-8689-cwpg

Source

https://github.com/advisories/GHSA-p2x3-8689-cwpg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p2x3-8689-cwpg/GHSA-p2x3-8689-cwpg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-p2x3-8689-cwpg

Aliases

Published

2026-03-13T20:04:44Z

Modified

2026-03-20T10:11:02.473660Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server's GraphQL WebSocket endpoint bypasses security middleware

Details

Impact

Any Parse Server deployment that uses the GraphQL API is affected. The GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits.

Patches

The unfinished GraphQL WebSocket subscription feature has been removed, including the createSubscriptions method and the subscriptions-transport-ws dependency. GraphQL subscriptions were never functional in Parse Server as the schema did not define any subscription types.

Workarounds

Block WebSocket upgrade requests to the GraphQL subscriptions path (by default /subscriptions) at the network level, for example using a reverse proxy or load balancer rule.

Database specific

{
    "github_reviewed_at": "2026-03-13T20:04:44Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-306"
    ],
    "nvd_published_at": "2026-03-16T14:19:38Z",
    "severity": "MODERATE"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0

Fixed

9.6.0-alpha.14

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p2x3-8689-cwpg/GHSA-p2x3-8689-cwpg.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.40

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-p2x3-8689-cwpg/GHSA-p2x3-8689-cwpg.json"

last_known_affected_version_range

"< 8.0.0"