Skip to content

[Vulnerability] parse-community/parse-server: Insecure Direct Object Reference / Unauthorized Data Exposure #593

Description

@github-actions

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: e9c85df
Author: Manuel
Date: 2026-06-19T00:13:55Z

Commit Message

fix: LiveQuery discloses object data to a subscriber across an ACL read-access change ([GHSA-97pr-9hgg-3p8r](https://github.com/parse-community/parse-server/security/advisories/GHSA-97pr-9hgg-3p8r)) (#10515)

Pull Request

PR: #10515 - fix: LiveQuery discloses object data to a subscriber across an ACL read-access change (GHSA-97pr-9hgg-3p8r)
Labels: state:released-alpha

Description:

Issue

LiveQuery discloses object data to a subscriber across an ACL read-access change ([GHSA-97pr-9hgg-3p8r](GHSA-97pr-9hgg-3p8r))

Tasks

  • Add tests

Analysis

Vulnerability Type: Insecure Direct Object Reference / Unauthorized Data Exposure
Severity: High

Description

Before the patch, a LiveQuery subscriber could receive sensitive object data even after losing ACL read access due to an ACL change, exposing data they should no longer be authorized to see. This patch prevents leaking post-revocation data by sending only the last authorized object state on leave events and removing unauthorized pre-grant data on enter events, thus closing a critical unauthorized data disclosure vulnerability.

Affected Code

if (type === 'leave') {
  const currentReadable = isCurrentSubscriptionMatched
    ? false
    : await this._matchesACL(message.currentParseObject.getACL(), client, requestId);
  if (!currentReadable) {
    localCurrentParseObject = JSON.parse(JSON.stringify(localOriginalParseObject));
  }
}

Proof of Concept

1. Create a Parse object with ACL allowing user read access and set 'secretField' to 'SENSITIVE'.
2. User subscribes via LiveQuery and can see updates.
3. Perform a save that simultaneously changes 'secretField' to 'EXPOSED_SECRET' and revokes the user's read access in ACL.
4. Before the fix, the LiveQuery leave event would include 'secretField':'EXPOSED_SECRET', leaking data.
5. After the fix, the leave event contains only the last authorized value, e.g., 'secretField':'SENSITIVE', preventing exposure.

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-19T06:00:45.766Z

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions