9.10.0 (2026-07-13)
Bug Fixes
- Cloud Code beforeFind trigger context is not isolated from prototype pollution (#10570) (bea001e)
- Cloud Function multipart requests bypass the maxUploadSize limit (#10498) (f12e1c3)
- Denial of service via exponential-time processing of deeply nested query operators (GHSA-cgxm-vr2f-6fj8) (#10511) (1103c7a)
- Endpoints
/loginand/verifyPassworddisclose MFA secrets and protected fields when_Userget is denied (GHSA-75v4-m273-5j49) (#10492) (83e90ed) - GeoPoint distance queries fail with an internal server error on MongoDB 8.3 and later (#10572) (b706c22)
- GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers (GHSA-8cph-rgr4-g5vj) (#10467) (155123a)
- GraphQL error messages disclose pointer and relation target class names when public introspection is disabled (GHSA-r2g6-4f6j-f6rf) (#10568) (cb9b542)
- GraphQL error messages disclose required input field names when public introspection is disabled (GHSA-2fgh-8j2g-w354) (#10566) (d96c945), closes GHSA-2f#8j2g-w354 /github.com/parse-community/parse-server/security/advisories/GHSA-2f#8j2g-w354
- GraphQL variable-coercion suggestions disclose schema to unauthenticated callers (GHSA-9g8f-h8f3-hjcm) (#10563) (2625489)
- LiveQuery discloses object data to a subscriber across an ACL read-access change (GHSA-97pr-9hgg-3p8r) (#10515) (e9c85df)
- LiveQuery subscriptions leak when a client reuses a subscribe requestId (#10499) (3fad4fb)
- Middleware route checks do not match routing-equivalent path variants (trailing slash, case) (#10501) (f861210)
- NumberOrBoolean config option (cluster) value not coerced from env/CLI (#10531) (459786f)
- Pre-authentication denial of service via client version header regex backtracking (GHSA-38m6-82c8-4xfm) (#10463) (56c159e)
- rateLimit on exact static routes is bypassed by appending a query string (#10500) (880e8e6)
- Relation
$relatedToquery bypassesprotectedFieldsand owning-object ACL (GHSA-wmwx-jr2p-4j4r) (#10493) (43658f1) - Server option routeAllowList is bypassable through batch sub-requests (GHSA-p84r-h6rx-f2xr) (#10482) (552c6dd)
- Stored XSS via malformed Content-Type bypassing file upload extension blocklist (GHSA-r899-h629-j84r) (#10521) (cce91e5)
- Stored XSS via non-standard file extension bypassing file upload extension blocklist (GHSA-v8x7-r927-cc93) (#10505) (be12a60)
- Stored XSS via trailing-dot filename bypassing file upload extension blocklist (GHSA-7wqv-xjf3-x35v) (#10489) (66484ce)