parse-server@9.9.1-alpha.12

An express module providing a Parse-compatible API server

  • latest version

    9.9.0

  • latest non vulnerable version

  • first published

    13 years ago

  • latest version published

    2 months ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the parse-server package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Insertion of Sensitive Information Into Sent Data

    parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.

    Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data disclosure through the ParseLiveQueryServer event serialization in ParseLiveQueryServer.js. An attacker can learn object data they are no longer authorized to read by when a subscribed object transitions from readable to unreadable or from unreadable to readable in the same save. When a leave event is triggered by an ACL read-access revocation, the server sends the object body from the post-save state instead of the last state the subscriber was allowed to see, and when an enter event is triggered by an ACL grant, it can include the pre-grant original object data. This leaks secret field values to LiveQuery subscribers and exposes object contents that should have been hidden after the ACL change.

    Workarounds

    • Do not change an object's field values and a subscriber's ACL read access in the same save on LiveQuery-enabled classes; perform the ACL change in a separate save before or after the content change to prevent leaking object data in leave or enter events.

    How to fix Insertion of Sensitive Information Into Sent Data?

    Upgrade parse-server to version 8.6.83, 9.9.1-alpha.13 or higher.

    <8.6.83>=9.0.0-alpha.1 <9.9.1-alpha.13