Skip to content

Commit 1493e78

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-mfj6-6p54-m98c GHSA-p44q-vqpr-4xmg GHSA-vpj2-qq7w-5qq6
1 parent d41967b commit 1493e78

File tree

3 files changed

+252
-0
lines changed

3 files changed

+252
-0
lines changed

advisories/github-reviewed/2026/03/GHSA-mfj6-6p54-m98c/GHSA-mfj6-6p54-m98c.json

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-mfj6-6p54-m98c",
4+
"modified": "2026-03-31T23:49:18Z",
5+
"published": "2026-03-31T23:49:18Z",
6+
"aliases": [
7+
"CVE-2026-34573"
8+
],
9+
"summary": "parse-server has GraphQL complexity validator exponential fragment traversal DoS",
10+
"details": "### Impact\n\nThe GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the `requestComplexity.graphQLDepth` or `requestComplexity.graphQLFields` configuration options.\n\n### Patches\n\nThe fix replaces the per-branch fragment traversal with memoized fragment computation, reducing the traversal from exponential O(2^N) to linear O(N) time. Additionally, early termination aborts the traversal as soon as configured limits are exceeded.\n\n### Workarounds\n\nDisable GraphQL complexity limits by setting `requestComplexity.graphQLDepth` and `requestComplexity.graphQLFields` to `-1` (the default).\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10344\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10345",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "parse-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "9.0.0"
29+
},
30+
{
31+
"fixed": "9.7.0-alpha.12"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "parse-server"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "8.6.68"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-mfj6-6p54-m98c"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34573"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/parse-community/parse-server/pull/10344"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://github.com/parse-community/parse-server/pull/10345"
73+
},
74+
{
75+
"type": "WEB",
76+
"url": "https://github.com/parse-community/parse-server/commit/ea15412795f34594cc8a674fe858d445675e0295"
77+
},
78+
{
79+
"type": "WEB",
80+
"url": "https://github.com/parse-community/parse-server/commit/f759bda075298ec44e2b4fb57659a0c56620483b"
81+
},
82+
{
83+
"type": "PACKAGE",
84+
"url": "https://github.com/parse-community/parse-server"
85+
}
86+
],
87+
"database_specific": {
88+
"cwe_ids": [
89+
"CWE-407"
90+
],
91+
"severity": "HIGH",
92+
"github_reviewed": true,
93+
"github_reviewed_at": "2026-03-31T23:49:18Z",
94+
"nvd_published_at": "2026-03-31T16:16:33Z"
95+
}
96+
}

advisories/github-reviewed/2026/03/GHSA-p44q-vqpr-4xmg/GHSA-p44q-vqpr-4xmg.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-p44q-vqpr-4xmg",
4+
"modified": "2026-03-31T23:48:02Z",
5+
"published": "2026-03-31T23:48:02Z",
6+
"aliases": [
7+
"CVE-2026-34531"
8+
],
9+
"summary": "Flask-HTTPAuth invokes token verification callback when missing or empty token was given by client",
10+
"details": "## Summary\n\nIn a situation where the client makes a request to a token protected resource without passing a token, or passing an empty token, Flask-HTTPAuth would invoke the application's token verification callback function with the `token` argument set to an empty string. If the application had any users in its database with an empty string set as their token, then it could potentially authenticate the client request against any of those users.\n\n## Notes\n\n- This issue applies only to token authentication\n- This issue applies only when the application verifies tokens by searching for them in a user database.\n- This issue applies only if the application stores empty strings as user tokens when the user does not have an assigned token. It does not apply if the application sets those tokens to `NULL` instead.\n- Tokens that are verified through cryptographic means (such as JWTs) are not affected by this issue.\n- Basic and Digest authentication are not affected by this issue.\n\n## Remediation\n\nTo protect against this issue, developers should make sure that no user in the user database has their `token` set to an empty string. If there are such users, change the value of those tokens to `NULL` instead.\n\nAlternatively, developers can upgrade their projects to `Flask-HTTPAuth>=4.8.1`, which fixes this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Flask-HTTPAuth"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.8.1"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 4.8.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/miguelgrinberg/Flask-HTTPAuth/security/advisories/GHSA-p44q-vqpr-4xmg"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/miguelgrinberg/Flask-HTTPAuth"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-287"
54+
],
55+
"severity": "MODERATE",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-03-31T23:48:02Z",
58+
"nvd_published_at": null
59+
}
60+
}

advisories/github-reviewed/2026/03/GHSA-vpj2-qq7w-5qq6/GHSA-vpj2-qq7w-5qq6.json

Lines changed: 96 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,96 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-vpj2-qq7w-5qq6",
4+
"modified": "2026-03-31T23:48:38Z",
5+
"published": "2026-03-31T23:48:38Z",
6+
"aliases": [
7+
"CVE-2026-34532"
8+
],
9+
"summary": "parse-server has cloud function validator bypass via prototype chain traversal",
10+
"details": "### Impact\n\nAn attacker can bypass Cloud Function validator access controls by appending `.prototype.constructor` to the function name in the URL. When a Cloud Function handler is declared using the `function` keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped.\n\nThis allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as `requireUser`, `requireMaster`, or custom validation logic.\n\n### Patches\n\nThe trigger store traversal now verifies that each intermediate node is a legitimate store object before continuing traversal. If the traversal encounters a non-store value such as a function handler, it stops and returns an empty store, preventing prototype chain escape.\n\n### Workarounds\n\nUse arrow functions instead of the `function` keyword for Cloud Function handlers. Arrow functions do not have a `prototype` property and are not affected by this vulnerability.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10342\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10343",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "parse-server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "9.0.0"
29+
},
30+
{
31+
"fixed": "9.7.0-alpha.11"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "npm",
40+
"name": "parse-server"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "8.6.67"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-vpj2-qq7w-5qq6"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34532"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/parse-community/parse-server/pull/10342"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://github.com/parse-community/parse-server/pull/10343"
73+
},
74+
{
75+
"type": "WEB",
76+
"url": "https://github.com/parse-community/parse-server/commit/4fc48cf28f22eea200d74d883505f485234a48d7"
77+
},
78+
{
79+
"type": "WEB",
80+
"url": "https://github.com/parse-community/parse-server/commit/dc59e272665644083c5b7f6862d88ce1ef0b2674"
81+
},
82+
{
83+
"type": "PACKAGE",
84+
"url": "https://github.com/parse-community/parse-server"
85+
}
86+
],
87+
"database_specific": {
88+
"cwe_ids": [
89+
"CWE-863"
90+
],
91+
"severity": "CRITICAL",
92+
"github_reviewed": true,
93+
"github_reviewed_at": "2026-03-31T23:48:38Z",
94+
"nvd_published_at": "2026-03-31T15:16:20Z"
95+
}
96+
}

0 commit comments

Comments
 (0)