LiveQuery publishes user session tokens in parse-server

Description

For regular (non-LiveQuery) queries, the session token is removed from the response, but for LiveQuery payloads it is currently not. If a user has a LiveQuery subscription on the Parse.User class, all session tokens created during user sign-ups will be broadcast as part of the LiveQuery payload.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): < 4.10.4
• Patched version(s): 4.10.4

References

• GHSA-7pr3-p5fm-8r9x
• CVE-2021-41109
• CWE-200
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• cors-anywhere vulnerable to server-side request forgery - CVE-2020-36851
• Parse Server exposes the data schema via GraphQL API - CVE-2025-53364
• Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
• Valid ECDSA signatures erroneously rejected in Elliptic - CVE-2024-48948

Tags:

npm

parse-server