Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 98188d9
Author: Manuel
Date: 2026-03-08T01:15:08Z
Commit Message
fix: Bypass of class-level permissions in LiveQuery ([GHSA-7ch5-98q2-7289](https://github.com/parse-community/parse-server/security/advisories/GHSA-7ch5-98q2-7289)) (#10133)
Pull Request
PR: #10133 - fix: Bypass of class-level permissions in LiveQuery (GHSA-7ch5-98q2-7289)
Labels: state:released-alpha
Description:
Pull Request
Issue
Bypass of class-level permissions in LiveQuery ([GHSA-7ch5-98q2-7289](GHSA-7ch5-98q2-7289))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. -->
Analysis
Vulnerability Type: Authorization Bypass
Severity: High
Description
The patch fixes a bypass of class-level permissions (CLP) in the LiveQuery feature, which previously allowed unauthorized clients to subscribe and receive data events even when CLPs denied them find permissions. The patch enforces validation of class-level permissions during subscription requests, preventing unauthorized access to real-time data streams.
Affected Code
async _matchesCLP(classLevelPermissions, object, client, requestId, op) {
const subscriptionInfo = client.getSubscriptionInfo(requestId);
const aclGroup = ['*'];
if (typeof subscriptionInfo !== 'undefined') {
const { userId } = await this.getAuthForSessionToken(subscriptionInfo.sessionToken);
if (userId) {
aclGroup.push(userId);
}
}
try {
await SchemaController.validatePermission(
classLevelPermissions,
object.className,
aclGroup,
op
);
return true;
} catch (e) {
logger.verbose(`Failed matching CLP for ${object.id} ${userId} ${e}`);
return false;
}
}
Proof of Concept
1. Configure a class "SecureChat" with class-level permission denying 'find' operation to anonymous users.
2. Connect to LiveQuery server without authentication.
3. Subscribe to "SecureChat" LiveQuery.
4. Despite CLP denying find for anonymous, subscription succeeds and receives 'create' events.
This demonstrates unauthorized access bypassing CLP protections. After patch, step 3 subscription would be rejected.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T06:01:05.154Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 98188d9
Author: Manuel
Date: 2026-03-08T01:15:08Z
Commit Message
Pull Request
PR: #10133 - fix: Bypass of class-level permissions in LiveQuery (GHSA-7ch5-98q2-7289)
Labels: state:released-alpha
Description:
Pull Request
Issue
Bypass of class-level permissions in LiveQuery ([GHSA-7ch5-98q2-7289](GHSA-7ch5-98q2-7289))
Tasks
<!-- Check completed tasks and delete tasks that don't apply. -->
Analysis
Vulnerability Type: Authorization Bypass
Severity: High
Description
The patch fixes a bypass of class-level permissions (CLP) in the LiveQuery feature, which previously allowed unauthorized clients to subscribe and receive data events even when CLPs denied them find permissions. The patch enforces validation of class-level permissions during subscription requests, preventing unauthorized access to real-time data streams.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T06:01:05.154Z