parse-server's session object properties can be updated by foreign user if object ID is known
- Severity:
- Medium
Description
A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.6 < 4.10.15** Patched version(s): **5.2.6 4.10.15**
References
Related Issues
- Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Parse Server has an OAuth login vulnerability - CVE-2025-30168
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023