Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 875cf10
Author: Manuel
Date: 2026-03-22T03:57:50Z
Commit Message
fix: Auth data exposed via /users/me endpoint ([GHSA-37mj-c2wf-cx96](https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96)) (#10278)
Pull Request
PR: #10278 - fix: Auth data exposed via /users/me endpoint (GHSA-37mj-c2wf-cx96)
Labels: state:released-alpha
Description:
Issue
Auth data exposed via /users/me endpoint ([GHSA-37mj-c2wf-cx96](GHSA-37mj-c2wf-cx96))
Analysis
Vulnerability Type: Information Disclosure
Severity: High
Description
The /users/me endpoint previously responded with user objects containing raw authentication data (authData), including sensitive multi-factor authentication secrets, due to querying user data with master key context that bypassed normal access controls. This exposed private authentication secrets to any authenticated user querying their own details. The patch caches the session with master key but then refetches the user data with the caller's auth context, invoking access control and removing sensitive data before returning the user object, thus preventing sensitive authData leakage.
Affected Code
handleMe(req) {
if (!req.info || !req.info.sessionToken) {
throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', req.config);
}
const sessionToken = req.info.sessionToken;
return rest
.find(
req.config,
Auth.master(req.config),
'_Session',
{ sessionToken },
{ include: 'user' },
req.info.clientSDK,
req.info.context
)
.then(response => {
if (!response.results || response.results.length == 0 || !response.results[0].user) {
throw createSanitizedError(Parse.Error.INVALID_SESSION_TOKEN, 'Invalid session token', req.config);
} else {
const user = response.results[0].user;
// Send token back on the login, because SDKs expect that.
user.sessionToken = sessionToken;
// Remove hidden properties.
UsersRouter.removeHiddenProperties(user);
return { response: user };
}
});
Proof of Concept
1. Authenticate as a user to get a valid session token.
2. Send a GET request to /users/me with the session token.
Example using curl:
curl -H "X-Parse-Application-Id: test" \
-H "X-Parse-Session-Token: <valid_session_token>" \
http://localhost:8378/1/users/me
Expected (vulnerable) behavior before patch: The response JSON contains user.authData.mfa.secret and user.authData.mfa.recovery fields with actual sensitive values.
Example response snippet before patch:
{
"authData": {
"mfa": {
"secret": "JBSWY3DPEHPK3PXP",
"recovery": ["code1", "code2"],
"status": "enabled"
}
},
...
}
After the patch, these sensitive authData fields are omitted or sanitized:
{
"authData": {
"mfa": {
"status": "enabled"
}
},
...
}
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-22T06:00:27.272Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 875cf10
Author: Manuel
Date: 2026-03-22T03:57:50Z
Commit Message
Pull Request
PR: #10278 - fix: Auth data exposed via /users/me endpoint (GHSA-37mj-c2wf-cx96)
Labels: state:released-alpha
Description:
Issue
Auth data exposed via /users/me endpoint ([GHSA-37mj-c2wf-cx96](GHSA-37mj-c2wf-cx96))
Analysis
Vulnerability Type: Information Disclosure
Severity: High
Description
The /users/me endpoint previously responded with user objects containing raw authentication data (authData), including sensitive multi-factor authentication secrets, due to querying user data with master key context that bypassed normal access controls. This exposed private authentication secrets to any authenticated user querying their own details. The patch caches the session with master key but then refetches the user data with the caller's auth context, invoking access control and removing sensitive data before returning the user object, thus preventing sensitive authData leakage.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-22T06:00:27.272Z