Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: be1d65d
Author: Manuel
Date: 2026-03-08T15:25:22Z
Commit Message
fix: Protected fields bypass via logical query operators ([GHSA-72hp-qff8-4pvv](https://github.com/parse-community/parse-server/security/advisories/GHSA-72hp-qff8-4pvv)) (#10140)
Pull Request
PR: #10140 - fix: Protected fields bypass via logical query operators (GHSA-72hp-qff8-4pvv)
Labels: state:released-alpha
Description:
Pull Request
Issue
<!-- Describe or link the issue that this PR closes. -->
Approach
Protected fields bypass via logical query operators ([GHSA-72hp-qff8-4pvv](GHSA-72hp-qff8-4pvv))
Analysis
Vulnerability Type: Access Control Bypass / Insecure Direct Object Reference
Severity: High
Description
The patch fixes a vulnerability where protected fields could be bypassed in queries using logical operators such as $or, $and, and $nor. Before the patch, queries containing these operators did not correctly enforce protection on sensitive fields like 'email', allowing unauthorized users to query protected data. The fix recursively inspects nested logical operators in the query and denies access if protected fields are targeted.
Affected Code
for (const key of protectedFields) {
if (this.restWhere[key]) {
throw createSanitizedError(
Parse.Error.OPERATION_FORBIDDEN,
`This user is not allowed to query ${key} on class ${this.className}`,
this.config
);
}
}
Proof of Concept
Send the following REST query as an authenticated non-privileged user:
POST /classes/_User
{
"where": {
"$or": [
{"email": "[email protected]"}
]
}
}
Expected behavior before the fix: The query returns user objects including the protected 'email' field, bypassing access control.
Expected behavior after the fix: The query is rejected with error code OPERATION_FORBIDDEN, preventing unauthorized access to the protected 'email' field.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T18:01:11.869Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: be1d65d
Author: Manuel
Date: 2026-03-08T15:25:22Z
Commit Message
Pull Request
PR: #10140 - fix: Protected fields bypass via logical query operators (GHSA-72hp-qff8-4pvv)
Labels: state:released-alpha
Description:
Pull Request
Issue
<!-- Describe or link the issue that this PR closes. -->
Approach
Protected fields bypass via logical query operators ([GHSA-72hp-qff8-4pvv](GHSA-72hp-qff8-4pvv))
Analysis
Vulnerability Type: Access Control Bypass / Insecure Direct Object Reference
Severity: High
Description
The patch fixes a vulnerability where protected fields could be bypassed in queries using logical operators such as $or, $and, and $nor. Before the patch, queries containing these operators did not correctly enforce protection on sensitive fields like 'email', allowing unauthorized users to query protected data. The fix recursively inspects nested logical operators in the query and denies access if protected fields are targeted.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T18:01:11.869Z