parse-server's session object properties can be updated by foreign user if object ID is known
- Severity:
- Medium
Description
A foreign user can write to the session object of another user if the session object ID is known. For example, a foreign user can assign the session object to their own user by writing to the user field and then read any custom fields of that session object.
Recommendation
Update the parse-server package to the latest compatible version. Followings are version details:
Affected version(s): **>= 5.0.0, < 5.2.6 < 4.10.15** Patched version(s): **5.2.6 4.10.15**
References
Related Issues
- Parse Server vulnerable to Prototype Pollution via Cloud Code Webhooks or Cloud Code Triggers - CVE-2022-41878
- angular vulnerable to regular expression denial of service via the <input type="url"> element - CVE-2023-26118
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Parse Server exposes the data schema via GraphQL API - CVE-2025-53364
- Tags:
- npm
- parse-server
Anything's wrong? Let us know Last updated on January 27, 2023