CVE-2023-41058

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 5.5.5 Parse Server versions prior to 6.2.2

Description The issue concerns the Parse Cloud trigger beforeFind not being invoked in certain conditions of Parse.Query. This poses a risk for deployments where the beforeFind trigger is used as a security layer to modify the incoming query. The vulnerability can be exploited by using a Parse Pointer to access internal Parse Server classes or circumvent the beforeFind query trigger.

Recommendations For versions prior to 5.5.5, upgrade to version 5.5.5 or later. For versions prior to 6.2.2, upgrade to version 6.2.2 or later. As a temporary workaround, consider using Parse Server's security layers, such as Class-Level Permissions and Object-Level Access Control, to manage access levels instead of custom security layers in Cloud Code triggers.