Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 0c0a0a5
Author: Manuel
Date: 2026-03-20T04:05:34Z
Commit Message
fix: Protected field change detection oracle via LiveQuery watch parameter ([GHSA-qpc3-fg4j-8hgm](https://github.com/parse-community/parse-server/security/advisories/GHSA-qpc3-fg4j-8hgm)) (#10253)
Pull Request
PR: #10253 - fix: Protected field change detection oracle via LiveQuery watch parameter (GHSA-qpc3-fg4j-8hgm)
Labels: state:released-alpha
Description:
Issue
Protected field change detection oracle via LiveQuery watch parameter ([GHSA-qpc3-fg4j-8hgm](GHSA-qpc3-fg4j-8hgm))
Analysis
Vulnerability Type: Data Exposure / Access Control Bypass
Severity: High
Description
Before this patch, the LiveQuery server allowed subscriptions to include protected fields in the 'watch' parameter, enabling unauthorized clients to detect changes to sensitive fields they should not access. The patch enforces permission checks on the 'watch' parameter, rejecting subscriptions that watch protected fields, preventing information leakage via LiveQuery change notifications.
Affected Code
- // Check protected fields in WHERE clause
+ // Check protected fields in WHERE clause and WATCH parameter
if (!client.hasMasterKey) {
const auth = request.user ? { user: request.user, userRoles: [] } : {};
const protectedFields =
Proof of Concept
Using the Parse LiveQuery client as a non-privileged user:
```javascript
const query = new Parse.Query('SecretClass');
// 'secretObj' is a protected field
query.watch('secretObj');
query.subscribe().then(() => {
console.log('Subscribed successfully');
}).catch(error => {
console.error('Error subscribing:', error);
});
```
Before the patch, the subscription would succeed, allowing the client to receive update events for protected fields, leaking sensitive data like 'apiKey'. After the patch, the subscription fails with a 'Permission denied' error, preventing the data leak.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-20T06:00:28.672Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 0c0a0a5
Author: Manuel
Date: 2026-03-20T04:05:34Z
Commit Message
Pull Request
PR: #10253 - fix: Protected field change detection oracle via LiveQuery watch parameter (GHSA-qpc3-fg4j-8hgm)
Labels: state:released-alpha
Description:
Issue
Protected field change detection oracle via LiveQuery watch parameter ([GHSA-qpc3-fg4j-8hgm](GHSA-qpc3-fg4j-8hgm))
Analysis
Vulnerability Type: Data Exposure / Access Control Bypass
Severity: High
Description
Before this patch, the LiveQuery server allowed subscriptions to include protected fields in the 'watch' parameter, enabling unauthorized clients to detect changes to sensitive fields they should not access. The patch enforces permission checks on the 'watch' parameter, rejecting subscriptions that watch protected fields, preventing information leakage via LiveQuery change notifications.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-20T06:00:28.672Z