GHSA-q3vj-96h2-gwvg

Source

https://github.com/advisories/GHSA-q3vj-96h2-gwvg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q3vj-96h2-gwvg/GHSA-q3vj-96h2-gwvg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q3vj-96h2-gwvg

Aliases

Published

2026-03-11T00:26:37Z

Modified

2026-03-13T13:11:00.470751Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL

Details

Impact

A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs.

MongoDB deployments are not affected.

Patches

The fix adds type validation to reject non-number values and parameterizes the value in the SQL query instead of interpolating it.

Workarounds

There is no known workaround.

References

GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg
Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.3
Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.29

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-11T00:26:37Z",
    "cwe_ids": [
        "CWE-89"
    ],
    "severity": "CRITICAL",
    "nvd_published_at": "2026-03-11T18:16:24Z"
}

References

Affected packages

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

9.0.0-alpha.1

Fixed

9.6.0-alpha.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q3vj-96h2-gwvg/GHSA-q3vj-96h2-gwvg.json"

npm / parse-server

Package

Name: parse-server; View open source insights on deps.dev
Purl: pkg:npm/parse-server

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.6.29

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-q3vj-96h2-gwvg/GHSA-q3vj-96h2-gwvg.json"