parse-server new anonymous user session acts as if it's created with password

Severity:: Medium

Description

Developers that use the REST API to signup users and also allow users to login anonymously. When an anonymous user is first signed up using REST, the server creates session incorrectly, particularly the authProvider field in _Session class under createdWith shows the user logged in creating a password.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

Affected version(s): < 4.5.2
Patched version(s): 4.5.2

References

GHSA-23r4-5mxp-c7g5
CVE-2021-39138
CWE-287
CWE-863
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Astro's server source code is exposed to the public if sourcemaps are enabled - CVE-2024-56159
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
Parse Server exposes the data schema via GraphQL API - CVE-2025-53364

Tags:: npm; parse-server

Anything's wrong? Let us know Last updated on January 27, 2023