CVE-2023-41058: Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Pars...

Description

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability

0.62%

45.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-670

Affected Software

Vendor	Product	Versions
Parseplatform	Parse-Server	< 5.5.5
Parseplatform	Parse-Server	>= 6.0.0, < 6.2.2

References

https://docs.parseplatform.org/parse-server/guide/#securityProduct
https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5Patch
https://github.com/parse-community/parse-server/releases/tag/5.5.5Release Notes
https://github.com/parse-community/parse-server/releases/tag/6.2.2Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9qMitigation, Vendor Advisory
https://docs.parseplatform.org/parse-server/guide/#securityProduct
https://github.com/parse-community/parse-server/commit/be4c7e23c63a2fb690685665cebed0de26be05c5Patch
https://github.com/parse-community/parse-server/releases/tag/5.5.5Release Notes
https://github.com/parse-community/parse-server/releases/tag/6.2.2Release Notes
https://github.com/parse-community/parse-server/security/advisories/GHSA-fcv6-fg5r-jm9qMitigation, Vendor Advisory

Timeline

Published: Sep 4, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-41058?

Parse Server is an open source backend server. In affected versions the Parse Cloud trigger `beforeFind` is not invoked in certain conditions of `Parse.Query`. This can pose a vulnerability for deployments where the `beforeFind` trigger is used as a security layer to modify the incoming query. The vulnerability has been fixed by refactoring the internal query pipeline for a more concise code structure and implementing a patch to ensure the `beforeFind` trigger is invoked. This fix was introduced in commit `be4c7e23c6` and has been included in releases 6.2.2 and 5.5.5. Users are advised to upgrade. Users unable to upgrade should make use of parse server's security layers to manage access levels with Class-Level Permissions and Object-Level Access Control that should be used instead of custom security layers in Cloud Code triggers.

How severe is CVE-2023-41058?

CVE-2023-41058 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 0.62% probability of exploitation in the next 30 days.

How do I fix CVE-2023-41058?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.