CVE-2024-27298

parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504	Patch
https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833	Patch
https://github.com/parse-community/parse-server/releases/tag/6.5.0	Release Notes
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20	Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2	Vendor Advisory
https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504	Patch
https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833	Patch
https://github.com/parse-community/parse-server/releases/tag/6.5.0	Release Notes
https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20	Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:parseplatform:parse-server::::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:6.5.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:6.5.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:6.5.0:beta1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha1::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha10::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha11::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha12::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha13::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha14::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha15::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha16::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha17::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha18::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha19::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha2::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha3::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha4::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha5::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha6::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha7::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha8::::node.js::*
	cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha9::::node.js::*

History

03 Dec 2025, 20:52

Type	Values Removed	Values Added
CPE		cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha18::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha3::::node.js::* cpe:2.3:a:parseplatform:parse-server:6.5.0:beta1::::node.js::* cpe:2.3:a:parseplatform:parse-server:6.5.0:alpha1::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha8::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha10::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha1::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha12::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha19::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha5::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha14::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha16::::node.js::* cpe:2.3:a:parseplatform:parse-server::::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha9::::node.js::* cpe:2.3:a:parseplatform:parse-server:6.5.0:alpha2::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha13::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha7::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha6::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha15::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha17::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha2::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha4::::node.js::* cpe:2.3:a:parseplatform:parse-server:7.0.0:alpha11::::node.js::*
First Time		Parseplatform parse-server Parseplatform
References	~~() https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504 -~~	() https://github.com/parse-community/parse-server/commit/a6e654943536932904a69b51e513507fcf90a504 - Patch
References	~~() https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833 -~~	() https://github.com/parse-community/parse-server/commit/cbefe770a7260b54748a058b8a7389937dc35833 - Patch
References	~~() https://github.com/parse-community/parse-server/releases/tag/6.5.0 -~~	() https://github.com/parse-community/parse-server/releases/tag/6.5.0 - Release Notes
References	~~() https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 -~~	() https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.20 - Release Notes
References	~~() https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2 -~~	() https://github.com/parse-community/parse-server/security/advisories/GHSA-6927-3vr9-fxf2 - Vendor Advisory

Information

Published : 2024-03-01 18:15

Updated : 2025-12-03 20:52

NVD link : CVE-2024-27298

Mitre link : CVE-2024-27298

CVE.ORG link : CVE-2024-27298

JSON object : View

Products Affected

parseplatform

parse-server

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

10.0 /10