Listen to this Post
The vulnerability arises from a race condition in Parse Server’s LiveQuery implementation. When multiple clients subscribe to the same class, the server processes each subscriber’s event handler concurrently. A shared mutable object (the event object) is passed to each handler. The sensitive data filter, which is responsible for removing protected fields, modifies this shared object in-place. As a result, if one subscriber’s filter removes a field, the object is permanently altered. Subsequent subscribers then receive the already-filtered object, which may leak protected fields (or authentication data) to clients that should not see them, or deliver incomplete objects to clients that should have full access. The same shared-state issue affects afterEvent Cloud Code triggers: modifications made by one subscriber’s trigger are visible to others. The fix deep-clones the shared object at the start of each subscriber’s callback, ensuring isolation. A secondary bug prevented master key LiveQuery clients from receiving events on classes with protected fields due to an incorrect type passed to the filter.
Platform: Parse Server
Version: before 6.5.0
Vulnerability : LiveQuery data leak
Severity: Critical
date: 2024-07-05
Prediction: already patched upgrade
What Undercode Say:
Check Parse Server version
npm list parse-server
Simulate concurrent subscriptions (Node.js example)
const Parse = require('parse/node');
Parse.initialize('appId', 'jsKey');
Parse.serverURL = 'http://localhost:1337/parse';
const query = new Parse.Query('MyClass');
const sub1 = query.subscribe();
const sub2 = query.subscribe();
sub1.on('create', (obj) => console.log('Sub1:', obj));
sub2.on('create', (obj) => console.log('Sub2:', obj));
Exploit:
Attacker creates multiple subscriptions to a class with protected fields. When an event occurs, the first subscriber’s filter removes sensitive data; later subscribers receive the already‑stripped object, missing fields they should have, or conversely, if the filter is not applied early enough, later subscribers may see fields that were intended to be hidden.
Protection from this CVE
Upgrade to Parse Server ≥6.5.0 or ≥7.0.0‑alpha.20. No workaround exists; the fix requires deep cloning to isolate subscriber contexts.
Impact
Protected fields and authentication data can leak to unauthorized clients, or legitimate clients receive incomplete objects. afterEvent triggers may propagate unintended modifications across subscribers, breaking data integrity.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

