Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: d507575
Author: Manuel
Date: 2026-04-06T16:46:32Z
Commit Message
fix: Endpoint `/sessions/me` bypasses `_Session` `protectedFields` ([GHSA-g4v2-qx3q-4p64](https://github.com/parse-community/parse-server/security/advisories/GHSA-g4v2-qx3q-4p64)) (#10406)
Pull Request
PR: #10406 - fix: Endpoint /sessions/me bypasses _Session protectedFields (GHSA-g4v2-qx3q-4p64)
Labels: state:released-alpha
Description:
Issue
/sessions/me bypasses _Session protectedFields ([GHSA-g4v2-qx3q-4p64](GHSA-g4v2-qx3q-4p64))
Tasks
Analysis
Vulnerability Type: Insecure Direct Object Reference (IDOR) / Data Exposure
Severity: High
Description
The /sessions/me endpoint previously bypassed the _Session class's protectedFields configuration, exposing sensitive fields such as 'createdWith' that should have been hidden from client responses. This vulnerability allows authenticated users to access protected session details, potentially leaking sensitive information. The patch fixes this by re-fetching the session with the caller's auth context so that protectedFields and class-level permissions are properly enforced.
Affected Code
handleMe(req) {
if (!req.info || !req.info.sessionToken) {
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Session token required.');
}
return rest
.find(
req.config,
Auth.master(req.config),
'_Session',
{ sessionToken: req.info.sessionToken },
undefined,
req.info.clientSDK,
req.info.context
)
.then(response => {
if (!response.results || response.results.length == 0) {
throw new Parse.Error(Parse.Error.INVALID_SESSION_TOKEN, 'Session token not found.');
}
return {
response: response.results[0],
};
});
}
Proof of Concept
1. Configure the server with protectedFields to hide 'createdWith' for the _Session class.
2. Use a valid session token for an authenticated user.
3. Make a GET request to /sessions/me with the session token.
Before the patch:
GET /sessions/me
Headers: {
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
'X-Parse-Session-Token': '<valid_session_token>'
}
Response contains: { createdWith: {...}, ... }
After the patch, 'createdWith' is filtered out from the response, enforcing protectedFields. This leak of protected session information could be exploited by an attacker to gather sensitive client or device details about the session.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-06T18:02:21.151Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: d507575
Author: Manuel
Date: 2026-04-06T16:46:32Z
Commit Message
Pull Request
PR: #10406 - fix: Endpoint
/sessions/mebypasses_SessionprotectedFields(GHSA-g4v2-qx3q-4p64)Labels: state:released-alpha
Description:
Issue
/sessions/mebypasses_SessionprotectedFields([GHSA-g4v2-qx3q-4p64](GHSA-g4v2-qx3q-4p64))Tasks
Analysis
Vulnerability Type: Insecure Direct Object Reference (IDOR) / Data Exposure
Severity: High
Description
The
/sessions/meendpoint previously bypassed the_Sessionclass's protectedFields configuration, exposing sensitive fields such as 'createdWith' that should have been hidden from client responses. This vulnerability allows authenticated users to access protected session details, potentially leaking sensitive information. The patch fixes this by re-fetching the session with the caller's auth context so that protectedFields and class-level permissions are properly enforced.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-06T18:02:21.151Z