Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 70b7b07
Author: Manuel
Date: 2026-03-08T17:22:36Z
Commit Message
fix: Parse Server session token exfiltration via `redirectClassNameForKey` query parameter ([GHSA-6r2j-cxgf-495f](https://github.com/parse-community/parse-server/security/advisories/GHSA-6r2j-cxgf-495f)) (#10143)
Pull Request
PR: #10143 - fix: Parse Server session token exfiltration via redirectClassNameForKey query parameter (GHSA-6r2j-cxgf-495f)
Labels: state:released-alpha
Description:
Pull Request
Issue
Parse Server session token exfiltration via redirectClassNameForKey query parameter ([GHSA-6r2j-cxgf-495f](GHSA-6r2j-cxgf-495f))
Tasks
<!-- Check completed tasks and de...
Analysis
Vulnerability Type: Insecure Direct Object Reference / Session Token Exfiltration
Severity: High
Description
Before the patch, the Parse Server allowed the redirectClassNameForKey query parameter to redirect queries to the _Session class without properly enforcing user scoping or authentication. This permitted an attacker to access other users' session objects, leading to session token exfiltration. The patch enforces that if a query is redirected to _Session, it is scoped to the authenticated user's sessions only and blocks unauthenticated or unauthorized access.
Affected Code
this.className = newClassName;
this.redirectClassName = newClassName;
// No security re-checks or user scoping for redirected className (including _Session)
Proof of Concept
1. Attacker authenticates as user1 and obtains session token1.
2. Attacker crafts a query to a public class (e.g., PublicData) that has a relation field pointing to _Session.
3. Using `redirectClassNameForKey` set to the relation field, attacker issues a REST API find request:
GET /classes/PublicData?redirectClassNameForKey=pivot
(with headers including user1's session token)
4. Before patch, the server returns all _Session objects, including those of other users (e.g., user2), allowing attacker to exfiltrate session tokens.
5. After the patch, such queries are scoped to only return _Session objects for the authenticated user, blocking exfiltration.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T18:00:48.438Z
Potential Security Vulnerability Detected
Repository: parse-community/parse-server
Commit: 70b7b07
Author: Manuel
Date: 2026-03-08T17:22:36Z
Commit Message
Pull Request
PR: #10143 - fix: Parse Server session token exfiltration via
redirectClassNameForKeyquery parameter (GHSA-6r2j-cxgf-495f)Labels: state:released-alpha
Description:
Pull Request
Issue
Parse Server session token exfiltration via
redirectClassNameForKeyquery parameter ([GHSA-6r2j-cxgf-495f](GHSA-6r2j-cxgf-495f))Tasks
<!-- Check completed tasks and de...
Analysis
Vulnerability Type: Insecure Direct Object Reference / Session Token Exfiltration
Severity: High
Description
Before the patch, the Parse Server allowed the
redirectClassNameForKeyquery parameter to redirect queries to the _Session class without properly enforcing user scoping or authentication. This permitted an attacker to access other users' session objects, leading to session token exfiltration. The patch enforces that if a query is redirected to _Session, it is scoped to the authenticated user's sessions only and blocks unauthenticated or unauthorized access.Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-03-08T18:00:48.438Z