Intel/AIKIDO-2024-10047
parse-server
AIKIDO-2024-10047
parse-server is vulnerable to SQL Injection
SQL InjectionCVE-2024-27298 Published Apr 24, 2024
99
Critical Risk
This Affects:
parse-server2.2.14 - 6.4.0
Fixed in 6.5.0Are you affected? Scan for Free
TL;DR
Versions of this package impacted by this issue are vulnerable to SQL Injection through a malicious PostgreSQL statement containing multiple quoted strings. This vulnerability occurs only when using the PostgreSQL engine.
Who does this affect?
You are affected if you are using a version which is within vulnerability ranges and if you are using the PostgreSQL engine.
Background info
parse-server is vulnerable to SQL Injection in versions 2.2.14 - 6.4.0.
How to fix this
Upgrade the parse-server library to the patch version.
Links
GitHub Releases
Fix Commits
github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504
github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
Resources
Industries
Use Cases
Compare
© 2026 Aikido Security BV | BE0792914919
Keizer Karelstraat 15, 9000, Ghent, Belgium
95 Third St, 2nd Fl, San Francisco, CA 94103, US
Unit 6.15 Runway East 18 18 Crucifix Ln, London SE1 3JW UK
Ghent, Belgium | San Francisco, US
SOC 2Compliant
ISO 27001Compliant