Listen to this Post
Parse Server fails to sanitize user input during session creation via the `POST /classes/_Session` endpoint. An authenticated attacker can supply values for server-generated fields like sessionToken, expiresAt, and createdWith. The server does not filter these out, allowing the attacker to overwrite them. By setting a custom `expiresAt` value, a user can bypass the server’s configured session expiration policy and create a session that never expires. By setting a predictable sessionToken, they undermine the security of the authentication system. The vulnerability exists because the endpoint does not distinguish between user-supplied data and server-reserved fields. The patch introduces filtering to strip these server-generated fields from incoming data. This ensures that only the server can set or modify these critical session properties .
Platform: Parse Server
Version: <8.6.42, >=9.0.0<9.6.0-alpha.17
Vulnerability: Session Field Overwrite
Severity: Moderate
Date: March 18, 2026
Prediction: Patches already available
What Undercode Say:
Analytics:
This vulnerability highlights a recurring class of issues in Parse Server related to insufficient input sanitization on internal classes like _Session. Previous CVEs (CVE-2021-39138, CVE-2022-39225) have also targeted the `_Session` class, indicating it is a critical area for security review . The ability to set a predictable `sessionToken` could be chained with other vulnerabilities, such as object ID guessing (CVE-2022-39225), to take over user accounts . The disclosure and patch release were handled quickly, with patches available the same day the advisory was published.
How Exploit:
To exploit this, an attacker would send a POST request to the `/classes/_Session` endpoint with a forged payload.
Example curl command to exploit the vulnerability
curl -X POST https://your-parse-server.com/classes/_Session \
-H "X-Parse-Application-Id: YOUR_APP_ID" \
-H "X-Parse-Session-Token: VALID_SESSION_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"user": {
"__type": "Pointer",
"className": "_User",
"objectId": "TARGET_USER_ID"
},
"sessionToken": "PREDICTABLE_TOKEN_123",
"expiresAt": {
"__type": "Date",
"iso": "2099-01-01T00:00:00.000Z"
}
}'
Protection from this CVE:
- Immediate Patching: Upgrade Parse Server to version `8.6.42` (for the 8.x branch) or `9.6.0-alpha.17` (for the 9.x branch) or later.
- Workaround: If you cannot upgrade immediately, implement a `beforeSave` trigger for the `_Session` class to strip or reject attempts to write to server-generated fields.
// Cloud Code beforeSave trigger for _Session Parse.Cloud.beforeSave('_Session', (request) => { const restrictedFields = ['sessionToken', 'expiresAt', 'createdWith']; restrictedFields.forEach(field => { if (request.object.has(field) && !request.object.isNew()) { request.object.unset(field); } }); });
Impact:
Successful exploitation allows an authenticated user to create sessions that ignore the server’s expiration policy, leading to persistent unauthorized access. By setting a known sessionToken, an attacker can bypass token generation mechanisms, making session hijacking trivial. If the `createdWith` field is used in custom authorization logic, an attacker could misrepresent the session’s origin (e.g., making an anonymous session appear as a password-created one), potentially escalating privileges .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

