Kartal Kaan Bozdoğan

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 6.5.9 Parse Server versions prior to 7.3.0 **Description** The issue arises when the Parse Server option `allowCustomObjectId: true` is set, allowing an attacker to create a new user with a custom object ID that exploits the vulnerability and acquires privileges of a specific role. **Recommendations** For versions prior to 6.5.9, update to version 6.5.9 or later to resolve the issue. For versions prior to 7.3.0, update to version 7.3.0 or later to resolve the issue. As a temporary workaround, consider disabling custom object IDs by setting `allowCustomObjectId: false`. Alternatively, use a Cloud Code Trigger to validate that a new user's object ID doesn't start with the prefix `role:`.

**Name of the Vulnerable Software and Affected Versions** Parse Server versions prior to 4.10.3 **Description** The issue occurs when a query request contains an invalid value for the `explain` option, causing Parse Server to crash due to a bug in the MongoDB Node.js driver that throws an exception Parse Server cannot catch. **Recommendations** For versions prior to 4.10.3, upgrade to Parse Server 4.10.3 to resolve the issue. As a temporary workaround, consider avoiding the use of the `explain` option in query requests until the patch is applied.