Listen to this Post
A malformed `$regex` query parameter (e.g., [abc) causes the database to return a structured error object. This error object, rich with database internals such as error messages, codes, code names, cluster timestamps, and topology details, is passed unsanitized directly to the API client . This vulnerability, identified as CWE-209 (Generation of Error Message Containing Sensitive Information), allows any client that can send query requests to potentially map the internal database architecture . The exploitability depends on the deployment’s permission configuration, but it requires no privileges and no user interaction . Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 are affected . The fix implemented sanitizes these database error objects, replacing detailed errors with a generic “An internal server error occurred” message to clients while logging the full details server-side. This fix also respects the `enableSanitizedErrorResponse` server option, allowing administrators to control this behavior .
dailycve form:
Platform: Parse Server
Version: <8.6.7, <9.5.0-alpha.6
Vulnerability: Information Disclosure
Severity: Medium
date: 2026-03-05
Prediction: Patch available
What Undercode Say:
Analytics:
Check your Parse Server version:
npm list parse-server
Or for global installations:
parse-server --version
Simulate a vulnerable request to test for exposure (do not use on production systems):
Replace URL and App ID with your target's values
curl -X GET \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
'https://your-parse-server.com/parse/classes/YourClass?where={"field":{"$regex":"[abc"}}'
If the response contains database error codes, cluster timestamps, or topology details instead of a generic error, the system is vulnerable .
Exploit:
An attacker can send a specifically malformed regex query to elicit detailed database errors:
curl -X GET \
-H "X-Parse-Application-Id: TARGET_APP_ID" \
'https://target-parse-server.com/parse/classes/AnyClass?where={"sensitiveField":{"$regex":"[abc"}}'
The server responds with an error object that leaks internal database information, such as `MongoError` details, topology IDs, or cluster timestamps, which can be used for further reconnaissance .
Protection from this CVE
- Upgrade to patched versions: 8.6.7 or 9.5.0-alpha.6 (or later) .
- Ensure the `enableSanitizedErrorResponse` server option is set to `true` (default in patched versions) to enforce generic error messages .
- Monitor server logs for detailed errors to identify any attempted exploitation without exposing details to clients.
Impact:
- Information Disclosure: Leaks sensitive database internals like error messages, codes, and topology details .
- Security Reconnaissance: Exposed data helps attackers map the database architecture and prepare more targeted attacks.
- Compliance Risk: Disclosure of system details may violate data protection policies by exposing internal infrastructure information.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

