Commit b5ca12f
committed
chore(release): 9.10.0 [skip ci]
# [9.10.0](9.9.0...9.10.0) (2026-07-13)
### Bug Fixes
* Cloud Code beforeFind trigger context is not isolated from prototype pollution ([#10570](#10570)) ([bea001e](bea001e))
* Cloud Function multipart requests bypass the maxUploadSize limit ([#10498](#10498)) ([f12e1c3](f12e1c3))
* Denial of service via exponential-time processing of deeply nested query operators ([GHSA-cgxm-vr2f-6fj8](GHSA-cgxm-vr2f-6fj8)) ([#10511](#10511)) ([1103c7a](1103c7a))
* Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied ([GHSA-75v4-m273-5j49](GHSA-75v4-m273-5j49)) ([#10492](#10492)) ([83e90ed](83e90ed))
* GeoPoint distance queries fail with an internal server error on MongoDB 8.3 and later ([#10572](#10572)) ([b706c22](b706c22))
* GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers ([GHSA-8cph-rgr4-g5vj](GHSA-8cph-rgr4-g5vj)) ([#10467](#10467)) ([155123a](155123a))
* GraphQL error messages disclose pointer and relation target class names when public introspection is disabled ([GHSA-r2g6-4f6j-f6rf](GHSA-r2g6-4f6j-f6rf)) ([#10568](#10568)) ([cb9b542](cb9b542))
* GraphQL error messages disclose required input field names when public introspection is disabled ([GHSA-2fgh-8j2g-w354](GHSA-2fgh-8j2g-w354)) ([#10566](#10566)) ([d96c945](d96c945)), closes [GHSA-2f#8j2g-w354](https://github.com/GHSA-2f/issues/8j2g-w354) [/github.com/parse-community/parse-server/security/advisories/GHSA-2f#8j2g-w354](https://github.com//github.com/parse-community/parse-server/security/advisories/GHSA-2f/issues/8j2g-w354)
* GraphQL variable-coercion suggestions disclose schema to unauthenticated callers ([GHSA-9g8f-h8f3-hjcm](GHSA-9g8f-h8f3-hjcm)) ([#10563](#10563)) ([2625489](2625489))
* LiveQuery discloses object data to a subscriber across an ACL read-access change ([GHSA-97pr-9hgg-3p8r](GHSA-97pr-9hgg-3p8r)) ([#10515](#10515)) ([e9c85df](e9c85df))
* LiveQuery subscriptions leak when a client reuses a subscribe requestId ([#10499](#10499)) ([3fad4fb](3fad4fb))
* Middleware route checks do not match routing-equivalent path variants (trailing slash, case) ([#10501](#10501)) ([f861210](f861210))
* NumberOrBoolean config option (cluster) value not coerced from env/CLI ([#10531](#10531)) ([459786f](459786f))
* Pre-authentication denial of service via client version header regex backtracking ([GHSA-38m6-82c8-4xfm](GHSA-38m6-82c8-4xfm)) ([#10463](#10463)) ([56c159e](56c159e))
* rateLimit on exact static routes is bypassed by appending a query string ([#10500](#10500)) ([880e8e6](880e8e6))
* Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL ([GHSA-wmwx-jr2p-4j4r](GHSA-wmwx-jr2p-4j4r)) ([#10493](#10493)) ([43658f1](43658f1))
* Server option routeAllowList is bypassable through batch sub-requests ([GHSA-p84r-h6rx-f2xr](GHSA-p84r-h6rx-f2xr)) ([#10482](#10482)) ([552c6dd](552c6dd))
* Stored XSS via malformed Content-Type bypassing file upload extension blocklist ([GHSA-r899-h629-j84r](GHSA-r899-h629-j84r)) ([#10521](#10521)) ([cce91e5](cce91e5))
* Stored XSS via non-standard file extension bypassing file upload extension blocklist ([GHSA-v8x7-r927-cc93](GHSA-v8x7-r927-cc93)) ([#10505](#10505)) ([be12a60](be12a60))
* Stored XSS via trailing-dot filename bypassing file upload extension blocklist ([GHSA-7wqv-xjf3-x35v](GHSA-7wqv-xjf3-x35v)) ([#10489](#10489)) ([66484ce](66484ce))
### Features
* Add option to disallow aggregation pipelines for the read-only master key ([#10517](#10517)) ([816078f](816078f))1 parent fb1d6fc commit b5ca12f
3 files changed
Lines changed: 33 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
1 | 31 | | |
2 | 32 | | |
3 | 33 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
3 | | - | |
| 3 | + | |
4 | 4 | | |
5 | 5 | | |
6 | 6 | | |
| |||
0 commit comments