parse-server new anonymous user session acts as if it's created with password

Severity:: Medium

Description

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): < 4.5.2
Patched version(s): 4.5.2

References

GHSA-23r4-5mxp-c7g5
CVE-2021-39138
CWE-287
CWE-863
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Parse Server exposes the data schema via GraphQL API - CVE-2025-53364
Parse Server has an OAuth login vulnerability - CVE-2025-30168
Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) - CVE-2025-27597

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on January 27, 2023