Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: e9c85df
Author: Manuel
Date: 2026-06-19T00:13:55Z
Commit Message
fix: LiveQuery discloses object data to a subscriber across an ACL read-access change ([GHSA-97pr-9hgg-3p8r](https://github.com/parse-community/parse-server/security/advisories/GHSA-97pr-9hgg-3p8r)) (#10515)
Pull Request
PR: #10515 - fix: LiveQuery discloses object data to a subscriber across an ACL read-access change (GHSA-97pr-9hgg-3p8r)
Labels: state:released-alpha
Description:
Issue
LiveQuery discloses object data to a subscriber across an ACL read-access change ([GHSA-97pr-9hgg-3p8r](GHSA-97pr-9hgg-3p8r))
Tasks
Analysis
Vulnerability Type: Insecure Direct Object Reference / Unauthorized Data Exposure
Severity: High
Description
Before the patch, a LiveQuery subscriber could receive sensitive object data even after losing ACL read access due to an ACL change, exposing data they should no longer be authorized to see. This patch prevents leaking post-revocation data by sending only the last authorized object state on leave events and removing unauthorized pre-grant data on enter events, thus closing a critical unauthorized data disclosure vulnerability.
Affected Code
if (type === 'leave') {
const currentReadable = isCurrentSubscriptionMatched
? false
: await this._matchesACL(message.currentParseObject.getACL(), client, requestId);
if (!currentReadable) {
localCurrentParseObject = JSON.parse(JSON.stringify(localOriginalParseObject));
}
}
Proof of Concept
1. Create a Parse object with ACL allowing user read access and set 'secretField' to 'SENSITIVE'.
2. User subscribes via LiveQuery and can see updates.
3. Perform a save that simultaneously changes 'secretField' to 'EXPOSED_SECRET' and revokes the user's read access in ACL.
4. Before the fix, the LiveQuery leave event would include 'secretField':'EXPOSED_SECRET', leaking data.
5. After the fix, the leave event contains only the last authorized value, e.g., 'secretField':'SENSITIVE', preventing exposure.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-19T06:00:45.766Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: e9c85df
Author: Manuel
Date: 2026-06-19T00:13:55Z
Commit Message
Pull Request
PR: #10515 - fix: LiveQuery discloses object data to a subscriber across an ACL read-access change (GHSA-97pr-9hgg-3p8r)
Labels: state:released-alpha
Description:
Issue
LiveQuery discloses object data to a subscriber across an ACL read-access change ([GHSA-97pr-9hgg-3p8r](GHSA-97pr-9hgg-3p8r))
Tasks
Analysis
Vulnerability Type: Insecure Direct Object Reference / Unauthorized Data Exposure
Severity: High
Description
Before the patch, a LiveQuery subscriber could receive sensitive object data even after losing ACL read access due to an ACL change, exposing data they should no longer be authorized to see. This patch prevents leaking post-revocation data by sending only the last authorized object state on
leaveevents and removing unauthorized pre-grant data onenterevents, thus closing a critical unauthorized data disclosure vulnerability.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-19T06:00:45.766Z