Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: ea538a4
Author: Manuel
Date: 2026-03-09T20:27:56Z
Commit Message
fix: SQL injection via dot-notation field name in PostgreSQL ([GHSA-qpr4-jrj4-6f27](https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27)) (#10159)
Pull Request
PR: #10159 - fix: SQL injection via dot-notation field name in PostgreSQL (GHSA-qpr4-jrj4-6f27)
Labels: state:released-alpha
Description:
Pull Request
Issue
SQL injection via dot-notation field name in PostgreSQL ([GHSA-qpr4-jrj4-6f27](GHSA-qpr4-jrj4-6f27))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. -...
Analysis
Vulnerability Type: SQL Injection
Severity: High
Description
The patch fixes a SQL injection vulnerability in the PostgreSQL adapter where unescaped user input in dot-notation field names used in ORDER BY clauses could allow injection of malicious SQL commands. The fix correctly escapes quotes in these field names, preventing attackers from injecting arbitrary SQL statements that could modify or disrupt the database.
Affected Code
const transformDotFieldToComponents = fieldName => {
return fieldName.split('.').map((cmpt, index) => {
if (index === 0) {
return `"${cmpt}"`;
}
if (isArrayIndex(cmpt)) {
return Number(cmpt);
} else {
return `'${cmpt}'`;
}
});
};
Proof of Concept
Send an HTTP GET request to the Parse Server REST API with a malicious sort order parameter exploiting dot-notation, e.g.:
GET /1/classes/InjectionTest?order=data.x' ASC; UPDATE "InjectionTest" SET name = 'hacked' WHERE true--
If unescaped, this will execute a stacked SQL query that changes the 'name' field of the InjectionTest table to 'hacked'. Without the fix, this results in arbitrary data modification in the database.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-10T00:01:47.082Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: ea538a4
Author: Manuel
Date: 2026-03-09T20:27:56Z
Commit Message
Pull Request
PR: #10159 - fix: SQL injection via dot-notation field name in PostgreSQL (GHSA-qpr4-jrj4-6f27)
Labels: state:released-alpha
Description:
Pull Request
Issue
SQL injection via dot-notation field name in PostgreSQL ([GHSA-qpr4-jrj4-6f27](GHSA-qpr4-jrj4-6f27))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. -...
Analysis
Vulnerability Type: SQL Injection
Severity: High
Description
The patch fixes a SQL injection vulnerability in the PostgreSQL adapter where unescaped user input in dot-notation field names used in ORDER BY clauses could allow injection of malicious SQL commands. The fix correctly escapes quotes in these field names, preventing attackers from injecting arbitrary SQL statements that could modify or disrupt the database.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-10T00:01:47.082Z