4.10.7
·
31 commits
to release-4.x.x
since this release
4.10.7 (2022-03-11)
Bug Fixes
-
security vulnerability that allows remote code execution (GHSA-p6h4-93qp-jhcm) (#7841) (886bfd7)
Note that as part of the fix a new security feature scans for sensitive keywords in request data to prevent JavaScript prototype pollution. If such a keyword is found, the request is rejected with HTTP response code
400and Parse Error105(INVALID_KEY_NAME). By default these keywords are:{_bsontype: "Code"},constructor,__proto__. If you are using any of these keywords in your request data, you can override the default keywords by setting the new Parse Server optionrequestKeywordDenylistto[]and specify your own keywords as needed.