CVE-2020-5251: 
JavaScript vulnerability analysis and mitigation

CVE-2020-5251 affects Parse Server versions 4.0.0 and earlier. The vulnerability allows attackers to fetch user objects by using regex in NoSQL queries, specifically targeting session tokens. This critical security issue was discovered and disclosed on March 3, 2020, and was patched in version 4.1.0 (GitHub Advisory).

The vulnerability exists in the way Parse Server handles NoSQL queries. An attacker can use regex patterns in queries targeting the '_SessionToken' field to find valid user accounts. For example, a malicious query could be structured as {'_SessionToken':{'$regex':'r:027f'}} to retrieve user accounts without proper authentication. The vulnerability also extends to email verification and password reset functionalities, where regex can be used in token parameters (GitHub Advisory).

The vulnerability allows unauthorized access to user accounts and sensitive information. Attackers can retrieve user accounts without any user interaction, potentially compromising user privacy and security. Additionally, the vulnerability affects email verification and password reset mechanisms, potentially allowing attackers to take over user accounts (GitHub Advisory).

The vulnerability has been patched in Parse Server version 4.1.0. Users should upgrade to this version or later to protect against this security issue. The fix includes additional validation of session tokens and improvements to the handling of token parameters in email verification and password reset functionalities (GitHub Advisory).