Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit ca8119d70551 · 2026-03-24T19:12:43.000Z
GHSA-g3qj-j598-cxmq GHSA-g4cf-xj29-wqqr GHSA-p2w6-rmh7-w8q3
diff --git a/advisories/github-reviewed/2026/03/GHSA-g3qj-j598-cxmq/GHSA-g3qj-j598-cxmq.json b/advisories/github-reviewed/2026/03/GHSA-g3qj-j598-cxmq/GHSA-g3qj-j598-cxmq.json
@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g3qj-j598-cxmq",
+  "modified": "2026-03-24T19:10:38Z",
+  "published": "2026-03-24T19:10:38Z",
+  "aliases": [],
+  "summary": "fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing",
+  "details": "### Summary\nfido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in `extractStrings()` — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead.\n\nThe crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill.\n\nFixed in cbor-extract@2.2.1 / cbor-x@1.6.3 (2026-03-08). fido2-lib@3.5.7 still pins cbor-x ~1.6.0 which resolves to vulnerable cbor-extract.\n\n## Affected versions\n\nfido2-lib <= 3.5.7 (introduced cbor-x dependency). fido2-lib 2.x uses the old `cbor` package — not affected.\n\nOnly affects systems where `cbor-extract` native addon is installed (prebuilt binary available for platform). Pure JS fallback is safe.\n\n## PoC\n\n```js\nconst { decode } = require(\"cbor-x\");\ndecode(Buffer.from(\"7a10000000\", \"hex\")); // exit code 139 (SIGSEGV)\n```\n\nCBOR text string header claiming 268MB in a 5-byte buffer. `extractStrings()` in extract.cpp line 87 calls `readString()` without bounds check. Reads past buffer into unmapped memory.\n\nIn context: attacker intercepts WebAuthn registration response, replaces `attestationObject` with the 5-byte payload, POSTs to the registration verification endpoint. Server calls `attestationResult()` → `cbor-x.decode()` → `cbor-extract` → SIGSEGV.\n\n## Fix\n\nBump cbor-x to >= 1.6.3 (which pulls cbor-extract >= 2.2.1).\n\n```diff\n-\"cbor-x\": \"~1.6.0\"\n+\"cbor-x\": \"^1.6.3\"\n```\n\n— Malik X (@Xvush)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "fido2-lib"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.5.8"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.5.7"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/webauthn-open-source/fido2-lib/security/advisories/GHSA-g3qj-j598-cxmq"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kriszyp/cbor-extract/issues/2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kriszyp/cbor-extract/issues/3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kriszyp/cbor-extract/commit/1f6e0d9704149bdb5531d25f5d08a0280a71e2ca"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/webauthn-open-source/fido2-lib"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125",
+      "CWE-126",
+      "CWE-1395"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-24T19:10:38Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json b/advisories/github-reviewed/2026/03/GHSA-g4cf-xj29-wqqr/GHSA-g4cf-xj29-wqqr.json
@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g4cf-xj29-wqqr",
+  "modified": "2026-03-24T19:11:40Z",
+  "published": "2026-03-24T19:11:40Z",
+  "aliases": [
+    "CVE-2026-33538"
+  ],
+  "summary": "Parse Server: Denial of Service via unindexed database query for unconfigured auth providers",
+  "details": "### Impact\n\nAn unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.\n\n### Patches\n\nThe fix validates that an authentication provider is configured before executing any database query. Requests with unconfigured providers are now rejected immediately without querying the database.\n\n### Workarounds\n\nThere is no known workaround other than upgrading.\n\n### Resources\n\n- GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr\n- Fix Parse Server 9: https://github.com/parse-community/parse-server/pull/10270\n- Fix Parse Server 8: https://github.com/parse-community/parse-server/pull/10271",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.6.0-alpha.52"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.58"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-g4cf-xj29-wqqr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10270"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10271"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-24T19:11:40Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-p2w6-rmh7-w8q3/GHSA-p2w6-rmh7-w8q3.json b/advisories/github-reviewed/2026/03/GHSA-p2w6-rmh7-w8q3/GHSA-p2w6-rmh7-w8q3.json
@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p2w6-rmh7-w8q3",
+  "modified": "2026-03-24T19:12:06Z",
+  "published": "2026-03-24T19:12:06Z",
+  "aliases": [
+    "CVE-2026-33539"
+  ],
+  "summary": "Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter",
+  "details": "### Impact\n\nAn attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate `$group` pipeline stage or the `distinct` operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access.\n\nOnly Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.\n\n### Patches\n\nField names in the aggregate `$group._id` object values and `distinct` dot-notation parameters are now validated to only contain alphanumeric characters and underscores, preventing SQL injection via the `:raw` interpolation used in the PostgreSQL storage adapter.\n\n### Workarounds\n\nNo workaround. Upgrade to a patched version.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.6.0-alpha.53"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.59"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-p2w6-rmh7-w8q3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10272"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10273"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-24T19:12:06Z",
+    "nvd_published_at": null
+  }
+}
