CVE-2024-27298

parse-server is a Parse Server for Node.js / Express. This vulnerability allows SQL injection when Parse Server is configured to use the PostgreSQL database. The vulnerability has been fixed in 6.5.0 and 7.0.0-alpha.20.

Published: Mar 1, 2024
Updated: Nov 16, 2025
CVE: CVE-2024-27298
GHSA: GHSA-6927-3vr9-fxf2
Severity: Critical
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
parse-server	-	6.5.0
parse-server	7.0.0-alpha.1	7.0.0-alpha.20
parseplatform / parse-server	-	6.5.0
parseplatform / parse-server	6.5.0-alpha1	6.5.0-alpha1.x
parseplatform / parse-server	6.5.0-alpha2	6.5.0-alpha2.x
parseplatform / parse-server	6.5.0-beta1	6.5.0-beta1.x
parseplatform / parse-server	7.0.0-alpha1	7.0.0-alpha1.x
parseplatform / parse-server	7.0.0-alpha10	7.0.0-alpha10.x
parseplatform / parse-server	7.0.0-alpha11	7.0.0-alpha11.x
parseplatform / parse-server	7.0.0-alpha12	7.0.0-alpha12.x
parseplatform / parse-server	7.0.0-alpha13	7.0.0-alpha13.x
parseplatform / parse-server	7.0.0-alpha14	7.0.0-alpha14.x
parseplatform / parse-server	7.0.0-alpha15	7.0.0-alpha15.x
parseplatform / parse-server	7.0.0-alpha16	7.0.0-alpha16.x
parseplatform / parse-server	7.0.0-alpha17	7.0.0-alpha17.x
parseplatform / parse-server	7.0.0-alpha18	7.0.0-alpha18.x
parseplatform / parse-server	7.0.0-alpha19	7.0.0-alpha19.x
parseplatform / parse-server	7.0.0-alpha2	7.0.0-alpha2.x
parseplatform / parse-server	7.0.0-alpha3	7.0.0-alpha3.x
parseplatform / parse-server	7.0.0-alpha4	7.0.0-alpha4.x
parseplatform / parse-server	7.0.0-alpha5	7.0.0-alpha5.x
parseplatform / parse-server	7.0.0-alpha6	7.0.0-alpha6.x
parseplatform / parse-server	7.0.0-alpha7	7.0.0-alpha7.x
parseplatform / parse-server	7.0.0-alpha8	7.0.0-alpha8.x
parseplatform / parse-server	7.0.0-alpha9	7.0.0-alpha9.x

Vulnerability Database

314,432

CVE-2024-27298

Deep Security Visibility Without the Complexity