Description
For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.10.4
- Patched version(s): 4.10.4
References
Related Issues
- parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- Parse Server vulnerable to user enumeration via email verification endpoint - CVE-2026-31901
- parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user - CVE-2026-30229
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on February 01, 2023