parse-server new anonymous user session acts as if it's created with password

Severity:: Medium

Description

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): < 4.5.2
Patched version(s): 4.5.2

References

GHSA-23r4-5mxp-c7g5
CVE-2021-39138
CWE-287
CWE-863
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

GraphQL: Security breach on Viewer query - CVE-2020-15126
Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter - CVE-2025-68150
Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package - CVE-2025-68619

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on January 27, 2023