Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| parse-server(npm) | 0 | 6.5.9 | N/A |
| parse-server(npm) | 7.0.0 | 7.3.0 | N/A |
CVSS Metrics
