Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 8a3db3b
Author: Manuel
Date: 2026-04-07T12:01:11Z
Commit Message
fix: Endpoints `/login` and `/verifyPassword` ignore `_User` `protectedFields` (#10409)
Pull Request
PR: #10409 - fix: Endpoints /login and /verifyPassword ignore _User protectedFields
Labels: state:released-alpha
Description:
Pull Request
Issue
Endpoints /login and /verifyPassword ignore _User protectedFields
Tasks
Analysis
Vulnerability Type: Sensitive Data Exposure
Severity: High
Description
Prior to this patch, the /login and /verifyPassword endpoints did not respect the _User class protectedFields configuration, allowing sensitive user fields (e.g., phone numbers) marked as protected to be exposed in API responses. This exposed sensitive data to unauthorized parties. The patch ensures these endpoints correctly apply protectedFields filtering, preventing leakage of sensitive user information during authentication.
Affected Code
return { response: user };
Proof of Concept
1. Create a user with sensitive field 'phone' set (e.g., '555-1234')
2. Use REST API to POST /login with that user's username and password
3. Observe the response includes the 'phone' field, despite it being configured as protected
Example:
POST /1/login HTTP/1.1
Host: localhost:8378
X-Parse-Application-Id: test
X-Parse-REST-API-Key: rest
Content-Type: application/json
{
"username": "user1",
"password": "password"
}
Response contains:
{
"objectId": "user1ObjectId",
"phone": "555-1234", <-- Sensitive data exposed
"sessionToken": "..."
}
This violates protectedFields policy. After patch, 'phone' is omitted unless owner exemption applies.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-07T12:03:34.408Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 8a3db3b
Author: Manuel
Date: 2026-04-07T12:01:11Z
Commit Message
Pull Request
PR: #10409 - fix: Endpoints
/loginand/verifyPasswordignore_UserprotectedFieldsLabels: state:released-alpha
Description:
Pull Request
Issue
Endpoints
/loginand/verifyPasswordignore_UserprotectedFieldsTasks
Analysis
Vulnerability Type: Sensitive Data Exposure
Severity: High
Description
Prior to this patch, the
/loginand/verifyPasswordendpoints did not respect the_UserclassprotectedFieldsconfiguration, allowing sensitive user fields (e.g., phone numbers) marked as protected to be exposed in API responses. This exposed sensitive data to unauthorized parties. The patch ensures these endpoints correctly applyprotectedFieldsfiltering, preventing leakage of sensitive user information during authentication.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-04-07T12:03:34.408Z