SB2026040790 - Inclusion of Functionality from Untrusted Control Sphere in Parse Server

Security Bulletin ID SB2026040790

CSH Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Inclusion of Functionality from Untrusted Control Sphere (CVE-ID: N/A)

CWE-ID: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to introduce unreviewed code into deployments.

The vulnerability exists due to improper control of version tags in the repository metadata in parse-server version tags when resolving a dependency from affected git tags. A remote user can reference a repository dependency pinned to an incorrect version tag to introduce unreviewed code into deployments.

The issue affects environments that install Parse Server directly from git version tags, and Bitnami images may also be affected if they incorporated the incorrect 4.9.3 tag.

Remediation

Install update from vendor's website.

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-593v-wcqx-hq2w