Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 8f82282
Author: Manuel
Date: 2026-03-09T21:30:28Z
Commit Message
fix: SQL injection via `Increment` operation on nested object field in PostgreSQL ([GHSA-q3vj-96h2-gwvg](https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg)) (#10161)
Pull Request
PR: #10161 - fix: SQL injection via Increment operation on nested object field in PostgreSQL (GHSA-q3vj-96h2-gwvg)
Labels: state:released-alpha
Description:
Pull Request
Issue
<!-- Describe or link the issue that this PR closes. -->
Approach
SQL injection via Increment operation on nested object field in PostgreSQL ([GHSA-q3vj-96h2-gwvg](https://github.com/parse-community/parse-server/security/advisories/GHSA...
Analysis
Vulnerability Type: SQL Injection
Severity: High
Description
The patch fixes a SQL injection vulnerability in the PostgreSQL storage adapter where the Increment operation on nested object fields accepted unchecked input for the amount parameter. This flaw allowed attackers to inject arbitrary SQL expressions leading to possible data exfiltration or denial of service by injecting SQL functions like pg_sleep. The patch adds strict validation that ensures only numeric amounts are accepted, preventing malicious SQL injection.
Affected Code
return `CONCAT('{"${c}":', COALESCE($${index}:name->>'${c}','0')::int + ${amount}, '}')::jsonb`;
Proof of Concept
Send a PUT request to increment a nested object field with payload:
{
"stats.counter": { "__op": "Increment", "amount": "0+(SELECT pg_sleep(3))" }
}
Expected behavior before patch: The database query would execute the injected `pg_sleep(3)`, causing a delay of 3 seconds, demonstrating SQL injection.
Expected behavior after patch: The server rejects the request with a 400 error indicating invalid input type, and the injection does not execute.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-10T00:01:37.545Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 8f82282
Author: Manuel
Date: 2026-03-09T21:30:28Z
Commit Message
Pull Request
PR: #10161 - fix: SQL injection via
Incrementoperation on nested object field in PostgreSQL (GHSA-q3vj-96h2-gwvg)Labels: state:released-alpha
Description:
Pull Request
Issue
<!-- Describe or link the issue that this PR closes. -->
Approach
SQL injection via
Incrementoperation on nested object field in PostgreSQL ([GHSA-q3vj-96h2-gwvg](https://github.com/parse-community/parse-server/security/advisories/GHSA...Analysis
Vulnerability Type: SQL Injection
Severity: High
Description
The patch fixes a SQL injection vulnerability in the PostgreSQL storage adapter where the
Incrementoperation on nested object fields accepted unchecked input for theamountparameter. This flaw allowed attackers to inject arbitrary SQL expressions leading to possible data exfiltration or denial of service by injecting SQL functions likepg_sleep. The patch adds strict validation that ensures only numeric amounts are accepted, preventing malicious SQL injection.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-10T00:01:37.545Z