9.5.0 (2026-03-07)

Bug Fixes

• PagesRouter path traversal allows reading files outside configured pages directory (GHSA-hm3f-q6rw-m6wh) (#10104) (e772543)
• Endpoint /loginAs allows readOnlyMasterKey to gain full read and write access as any user (GHSA-79wj-8rqv-jvp5) (#10098) (bc20945)
• File creation and deletion bypasses readOnlyMasterKey write restriction (GHSA-xfh7-phr7-gr2x) (#10095) (036365a)
• File metadata endpoint bypasses beforeFind / afterFind trigger authorization (GHSA-hwx8-q9cg-mqmc) (#10106) (72e7707)
• GraphQL __type introspection bypass via inline fragments when public introspection is disabled (GHSA-q5q9-2rhp-33qw) (#10111) (61261a5)
• JWT audience validation bypass in Google, Apple, and Facebook authentication adapters (GHSA-x6fw-778m-wr9v) (#10113) (9f8d3f3)
• Malformed $regex query leaks database error details in API response (GHSA-9cp7-3q5w-j92g) (#10101) (9792d24)
• Regular Expression Denial of Service (ReDoS) via $regex query in LiveQuery (GHSA-mf3j-86qx-cq5j) (#10118) (5e113c2)

Features

• Add Parse.File option maxUploadSize to override the Parse Server option maxUploadSize per file upload (#10093) (3d8807b)
• Add security check for server option mountPlayground for GraphQL development (#10103) (2ae5db1)
• Add server option readOnlyMasterKeyIps to restrict readOnlyMasterKey by IP (#10115) (cbff6b4)
• Add support for Parse.File.setDirectory, setMetadata, setTags with stream-based file upload (#10092) (ca666b0)
• Allow to identify readOnlyMasterKey invocation of Cloud Function via request.isReadOnly (#10100) (2c48751)
• Deprecate GraphQL Playground that exposes master key in HTTP response (#10112) (d54d800)