Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter

Description

A vulnerability in Parse Server’s query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts.

Recommendation

Update the parse-server package to the latest compatible version. Followings are version details:

• Affected version(s): **< 8.6.21

  >= 9.0.0-alpha.1, < 9.5.2-alpha.8**

• Patched version(s): **8.6.21

  9.5.2-alpha.8**

References

• GHSA-6r2j-cxgf-495f
• CVE-2026-30965
• CWE-863
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• Parse Server vulnerable to LDAP injection via unsanitized user input in DN and group filter construction - CVE-2026-31828
• Parse Server has an MFA single-use token bypass via concurrent authData login requests - CVE-2026-34224
• Parse Server has a query condition depth bypass via pre-validation transform pipeline - CVE-2026-33498
• Parse Server vulnerable to schema poisoning via prototype pollution in deep copy - CVE-2026-32878

You might also like:

Exploiting Server Version Disclosure

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

parse-server