Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 5bbca7b
Author: Manuel
Date: 2026-03-09T14:06:32Z
Commit Message
fix: LDAP injection via unsanitized user input in DN and group filter construction ([GHSA-7m6r-fhh7-r47c](https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c)) (#10154)
Pull Request
PR: #10154 - fix: LDAP injection via unsanitized user input in DN and group filter construction (GHSA-7m6r-fhh7-r47c)
Labels: state:released-alpha
Description:
Pull Request
Issue
LDAP injection via unsanitized user input in DN and group filter construction ([GHSA-7m6r-fhh7-r47c](GHSA-7m6r-fhh7-r47c))
Tasks
<!-- Check completed tasks and delete tas...
Analysis
Vulnerability Type: LDAP Injection
Severity: High
Description
The patch fixes an LDAP injection vulnerability where unsanitized user input was directly inserted into LDAP Distinguished Name (DN) strings and LDAP filters. This allowed attackers to manipulate the LDAP queries, potentially bypassing authentication or authorization checks by injecting crafted input such as additional DN components or LDAP filter wildcards. The patch adds proper escaping of special characters in DN and filter contexts to mitigate injection attacks.
Affected Code
const userCn =
typeof options.dn === 'string'
? options.dn.replace('{{id}}', authData.id)
: `uid=${authData.id},${options.suffix}`;
const filter = options.groupFilter.replace(/{{id}}/gi, id);
Proof of Concept
1) DN Injection:
- Input: authData.id = 'admin,ou=admins'
- Before patch: DN becomes 'uid=admin,ou=admins,o=example', interpreted as 3 RDN components, potentially authenticating as admin with escalated privileges.
- Expected: Binds to privileged account.
2) LDAP Filter Injection:
- Input: authData.id = '*'
- Before patch: filter becomes '(&(uniqueMember=uid=*, o=example)(objectClass=groupOfUniqueNames))', causing the wildcard '*' to match all users, bypassing group membership checks.
- Expected: Access granted despite not being in the group.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-09T18:03:20.203Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 5bbca7b
Author: Manuel
Date: 2026-03-09T14:06:32Z
Commit Message
Pull Request
PR: #10154 - fix: LDAP injection via unsanitized user input in DN and group filter construction (GHSA-7m6r-fhh7-r47c)
Labels: state:released-alpha
Description:
Pull Request
Issue
LDAP injection via unsanitized user input in DN and group filter construction ([GHSA-7m6r-fhh7-r47c](GHSA-7m6r-fhh7-r47c))
Tasks
<!-- Check completed tasks and delete tas...
Analysis
Vulnerability Type: LDAP Injection
Severity: High
Description
The patch fixes an LDAP injection vulnerability where unsanitized user input was directly inserted into LDAP Distinguished Name (DN) strings and LDAP filters. This allowed attackers to manipulate the LDAP queries, potentially bypassing authentication or authorization checks by injecting crafted input such as additional DN components or LDAP filter wildcards. The patch adds proper escaping of special characters in DN and filter contexts to mitigate injection attacks.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-09T18:03:20.203Z