Skip to content

Commit 10b562c

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-5v7g-9h8f-8pgg GHSA-827p-g5x5-h86c GHSA-9ccr-fpp6-78qf GHSA-g699-3x6g-wm3g
1 parent c3dee28 commit 10b562c

4 files changed

Lines changed: 317 additions & 0 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-5v7g-9h8f-8pgg/GHSA-5v7g-9h8f-8pgg.json

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5v7g-9h8f-8pgg",
4+
"modified": "2026-03-17T18:37:24Z",
5+
"published": "2026-03-17T18:37:23Z",
6+
"aliases": [
7+
"CVE-2026-32742"
8+
],
9+
"summary": "Parse Server session creation endpoint allows overwriting server-generated session fields",
10+
"details": "### Impact\n\nAn authenticated user can overwrite server-generated session fields (`sessionToken`, `expiresAt`, `createdWith`) when creating a session object via `POST /classes/_Session`. This allows bypassing the server's session expiration policy by setting an arbitrary far-future expiration date. It also allows setting a predictable session token value.\n\n### Patches\n\nThe session creation endpoint now filters out server-generated fields from user-supplied data, preventing them from being overwritten.\n\n### Workarounds\n\nAdd a `beforeSave` trigger on the `_Session` class to validate and reject or strip any user-supplied values for `sessionToken`, `expiresAt`, and `createdWith`.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "parse-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "9.0.0"
29+
},
30+
{
31+
"fixed": "9.6.0-alpha.17"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "parse-server"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "8.6.42"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-5v7g-9h8f-8pgg"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/parse-community/parse-server/pull/10195"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/parse-community/parse-server/pull/10196"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/parse-community/parse-server"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-915"
78+
],
79+
"severity": "MODERATE",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-03-17T18:37:23Z",
82+
"nvd_published_at": null
83+
}
84+
}

advisories/github-reviewed/2026/03/GHSA-827p-g5x5-h86c/GHSA-827p-g5x5-h86c.json

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-827p-g5x5-h86c",
4+
"modified": "2026-03-17T18:37:30Z",
5+
"published": "2026-03-17T18:37:30Z",
6+
"aliases": [
7+
"CVE-2026-32770"
8+
],
9+
"summary": "Parse Server LiveQuery subscription with invalid regular expression crashes server",
10+
"details": "### Impact\n\nA remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients.\n\n### Patches\n\nThe fix validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process.\n\n### Workarounds\n\nDisable LiveQuery if it is not needed.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "parse-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "9.0.0"
29+
},
30+
{
31+
"fixed": "9.6.0-alpha.19"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "parse-server"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "8.6.43"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-827p-g5x5-h86c"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/parse-community/parse-server/pull/10197"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/parse-community/parse-server/pull/10199"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/parse-community/parse-server"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-248"
78+
],
79+
"severity": "MODERATE",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-03-17T18:37:30Z",
82+
"nvd_published_at": null
83+
}
84+
}

advisories/github-reviewed/2026/03/GHSA-9ccr-fpp6-78qf/GHSA-9ccr-fpp6-78qf.json

Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-9ccr-fpp6-78qf",
4+
"modified": "2026-03-17T18:37:08Z",
5+
"published": "2026-03-17T18:37:08Z",
6+
"aliases": [
7+
"CVE-2026-32878"
8+
],
9+
"summary": "Parse Server vulnerable to schema poisoning via prototype pollution in deep copy",
10+
"details": "### Impact\n\nAn attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key.\n\n### Patches\n\nThe vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing denylist check to correctly detect and reject the prohibited keyword.\n\n### Workarounds\n\nNone.\n\n### Vulnerability Independence\n\nThis vulnerability is not caused by or dependent on a vulnerability in a third-party dependency.\n\nThe third-party `deepcopy` library that was replaced in the fix has no known CVE or security advisory regarding this. The library functions as designed. It is not vulnerable.\n\nThe vulnerability is in parse-server's own request processing logic. Parse-server's security-critical keyword denylist check runs after the deep copy step in the request pipeline. The deep copy step strips `__proto__` properties as a normal part of its cloning behavior, which means the denylist check never sees the prohibited key. This allows an attacker to bypass both the denylist protection and class-level permissions for adding fields, resulting in schema poisoning.\n\nThe root cause is parse-server's reliance on a cloning mechanism that alters the shape of the data before the security check can inspect it. This is a logic flaw in parse-server's security pipeline, not a vulnerability in a dependency. Replacing the cloning mechanism was the fix for parse-server's own bug.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "parse-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "9.0.0"
29+
},
30+
{
31+
"fixed": "9.6.0-alpha.20"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "parse-server"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "8.6.44"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-9ccr-fpp6-78qf"
61+
},
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/parse-community/parse-server/pull/10200"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/parse-community/parse-server/pull/10201"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/parse-community/parse-server"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-1321"
78+
],
79+
"severity": "MODERATE",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-03-17T18:37:08Z",
82+
"nvd_published_at": null
83+
}
84+
}

advisories/github-reviewed/2026/03/GHSA-g699-3x6g-wm3g/GHSA-g699-3x6g-wm3g.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-g699-3x6g-wm3g",
4+
"modified": "2026-03-17T18:37:46Z",
5+
"published": "2026-03-17T18:37:46Z",
6+
"aliases": [
7+
"CVE-2026-32946"
8+
],
9+
"summary": "Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)",
10+
"details": "## Summary\n\nA vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the `egress-policy: block` network restriction using DNS queries over TCP.\n\nHarden-Runner enforces egress policies on GitHub runners by filtering outbound connections at the network layer. When `egress-policy: block` is enabled with a restrictive allowed-endpoints list (e.g., only `github.com:443`), all non-compliant traffic should be denied. However, DNS queries over TCP, commonly used for large responses or fallback from UDP, are not adequately restricted. Tools like `dig` can explicitly initiate TCP-based DNS queries (`+tcp` flag) without being blocked. \n\nThis vulnerability requires the attacker to already have code execution capabilities within the GitHub Actions workflow.\n\nThe Enterprise Tier of Harden-Runner is **not affected** by this vulnerability.\n\n## Impact\n\nWhen Harden-Runner is configured with `egress-policy: block` and a restrictive `allowed-endpoints` list, an attacker with existing code execution capabilities within a GitHub Actions workflow can bypass the egress block policy by initiating DNS queries over TCP to external resolvers. This allows outbound network communication that evades the configured network restrictions.\n\nThis vulnerability affects only the Community Tier. It requires the attacker to already have code execution capabilities within the GitHub Actions workflow.\n\n## Remediation\n\n### For Community Tier Users\n\nUpgrade to Harden-Runner v2.16.0 or later. \n\n### For Enterprise Tier Users\n\nNo action required. Enterprise tier customers are not affected by this vulnerability.\n\n## Credit \n\nWe would like to thank [Devansh Batham](https://github.com/devanshbatham) for responsibly disclosing this vulnerability through our security reporting process.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "GitHub Actions",
21+
"name": "step-security/harden-runner"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.16.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 2.15.1"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/step-security/harden-runner/security/advisories/GHSA-g699-3x6g-wm3g"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/step-security/harden-runner"
49+
},
50+
{
51+
"type": "WEB",
52+
"url": "https://github.com/step-security/harden-runner/releases/tag/v2.16.0"
53+
}
54+
],
55+
"database_specific": {
56+
"cwe_ids": [
57+
"CWE-693",
58+
"CWE-863"
59+
],
60+
"severity": "MODERATE",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-03-17T18:37:46Z",
63+
"nvd_published_at": null
64+
}
65+
}

0 commit comments

Comments
 (0)