Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: b2f2317
Author: Manuel
Date: 2026-03-07T19:16:38Z
Commit Message
fix: NoSQL injection via token type in password reset and email verification endpoints ([GHSA-vgjh-hmwf-c588](https://github.com/parse-community/parse-server/security/advisories/GHSA-vgjh-hmwf-c588)) (#10128)
Pull Request
PR: #10128 - fix: NoSQL injection via token type in password reset and email verification endpoints (GHSA-vgjh-hmwf-c588)
Labels: state:released-alpha
Description:
Pull Request
Issue
NoSQL injection via token type in password reset and email verification endpoints ([GHSA-vgjh-hmwf-c588](GHSA-vgjh-hmwf-c588))
Tasks
<!-- Check completed tasks and delete...
Analysis
Vulnerability Type: NoSQL Injection
Severity: High
Description
Before this patch, the password reset and email verification endpoints accepted non-string token inputs that could include MongoDB query operators such as $ne, $regex, $exists, or $gt. This allowed an attacker to perform NoSQL injection, enabling them to bypass token checks by crafting malicious token queries, potentially triggering password reset emails or verifying emails without authorization. The patch forces token parameters to be strings or rejects non-string tokens, preventing query operator injections.
Affected Code
if (token && typeof token !== 'string') {
// no check here; token used directly in DB query
}
// In resendVerificationEmail, token used directly from req.body.token without string coercion or validation
const token = req.body?.token;
Proof of Concept
POST /requestPasswordReset
{
"token": { "$ne": null },
"email": "[email protected]"
}
// This input causes the backend to interpret the token query as {$ne: null}, matching any user with a non-null token and triggering a password reset email for the victim, allowing an attacker to enumerate tokens or induce unintended resets.
Expected behavior after patch: Server rejects the request with error code Parse.Error.INVALID_VALUE due to non-string token.
Another example:
POST /requestPasswordReset
{
"token": { "$regex": ".*" },
"email": "[email protected]"
}
Without the patch, an attacker can abuse $regex to leak token existence or trigger actions improperly.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T00:00:48.381Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: b2f2317
Author: Manuel
Date: 2026-03-07T19:16:38Z
Commit Message
Pull Request
PR: #10128 - fix: NoSQL injection via token type in password reset and email verification endpoints (GHSA-vgjh-hmwf-c588)
Labels: state:released-alpha
Description:
Pull Request
Issue
NoSQL injection via token type in password reset and email verification endpoints ([GHSA-vgjh-hmwf-c588](GHSA-vgjh-hmwf-c588))
Tasks
<!-- Check completed tasks and delete...
Analysis
Vulnerability Type: NoSQL Injection
Severity: High
Description
Before this patch, the password reset and email verification endpoints accepted non-string token inputs that could include MongoDB query operators such as $ne, $regex, $exists, or $gt. This allowed an attacker to perform NoSQL injection, enabling them to bypass token checks by crafting malicious token queries, potentially triggering password reset emails or verifying emails without authorization. The patch forces token parameters to be strings or rejects non-string tokens, preventing query operator injections.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T00:00:48.381Z