CVE-2024-39309

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 6.5.7 Parse Server versions prior to 7.1.0

Description A vulnerability in Parse Server allows SQL injection when configured to use the PostgreSQL database. This issue enables remote attackers to bypass authentication on affected installations. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. The vulnerability can be exploited without requiring authentication.

Recommendations For versions prior to 6.5.7, update to version 6.5.7 or later to resolve the issue. For versions prior to 7.1.0, update to version 7.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the PostgreSQL database until a patch is applied. Avoid using the literalizeRegexPart function in the affected API endpoints until the issue is resolved.