CVE-2026-34363

EPSS 0.04%
Veröffentlicht 31.03.2026 14:35:42
Zuletzt bearbeitet 02.04.2026 18:11:29
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered, one subscriber's trigger modifications can leak to other subscribers through the same shared mutable state. Any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers is affected when multiple clients subscribe to the same class. This issue has been patched in versions 8.6.65 and 9.7.0-alpha.9.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Parseplatform ≫ Parse-server SwPlatformnode.js Version < 8.6.65

Parseplatform ≫ Parse-server SwPlatformnode.js Version >= 9.0.0 < 9.7.0

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha1 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha2 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha3 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha4 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha5 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha6 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha7 SwPlatformnode.js

Parseplatform ≫ Parse-server Version9.7.0 Updatealpha8 SwPlatformnode.js

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.127

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.2	0	0	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

https://github.com/parse-community/parse-server/security/advisories/GHSA-m983-v2ff-wq65

Patch

Vendor Advisory

https://github.com/parse-community/parse-server/pull/10330

Patch

Issue Tracking

https://github.com/parse-community/parse-server/pull/10331

Patch

Issue Tracking

https://github.com/parse-community/parse-server/commit/5834e29234593addaa0251a85f572ad4f376320b

Patch

https://github.com/parse-community/parse-server/commit/776c71c3078e77d38c94937f463741793609d055