GHSA-q342-9w2p-57fp

Source

https://github.com/advisories/GHSA-q342-9w2p-57fp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q342-9w2p-57fp/GHSA-q342-9w2p-57fp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q342-9w2p-57fp

Aliases

Published

2026-03-10T00:57:37Z

Modified

2026-03-16T03:09:53.686020Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement

Details

Impact

The requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique.

All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default.

Patches

The fix replaces the recursive object scanner with an iterative stack-based traversal that processes all nested values without prematurely exiting the scan loop. This also eliminates a potential stack overflow on deeply nested payloads.

Workarounds

Use a Cloud Code beforeSave trigger to validate incoming data for prohibited keywords across all classes.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q342-9w2p-57fp
Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.5.1-alpha.1
Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.12

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-10T00:57:37Z",
    "cwe_ids": [
        "CWE-693"
    ],
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-10T18:18:53Z"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.12

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q342-9w2p-57fp/GHSA-q342-9w2p-57fp.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0-alpha.1

Fixed

9.5.1-alpha.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q342-9w2p-57fp/GHSA-q342-9w2p-57fp.json"