Description
For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.10.4
- Patched version(s): 4.10.4
References
Related Issues
- parse-server new anonymous user session acts as if it's created with password - CVE-2021-39138
- parse-server's session object properties can be updated by foreign user if object ID is known - CVE-2022-39225
- Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields` - CVE-2026-39381
- Parse Server has a login timing side-channel reveals user existence - CVE-2026-39321
You might also like:
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on February 01, 2023