Insertion of Sensitive Information Into Sent Data Affecting parse-server package, versions <8.6.83>=9.0.0-alpha.1 <9.9.1-alpha.13
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-PARSESERVER-17420045
- published23 Jun 2026
- disclosed19 Jun 2026
- creditUnknown
Introduced: 19 Jun 2026
New CVE NOT AVAILABLE CWE-201 (opens in a new tab)How to fix?
Upgrade parse-server to version 8.6.83, 9.9.1-alpha.13 or higher.
Overview
parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js.
Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data disclosure through the ParseLiveQueryServer event serialization in ParseLiveQueryServer.js. An attacker can learn object data they are no longer authorized to read by when a subscribed object transitions from readable to unreadable or from unreadable to readable in the same save. When a leave event is triggered by an ACL read-access revocation, the server sends the object body from the post-save state instead of the last state the subscriber was allowed to see, and when an enter event is triggered by an ACL grant, it can include the pre-grant original object data. This leaks secret field values to LiveQuery subscribers and exposes object contents that should have been hidden after the ACL change.
Workarounds
- Do not change an object's field values and a subscriber's ACL read access in the same
saveon LiveQuery-enabled classes; perform the ACL change in a separatesavebefore or after the content change to prevent leaking object data inleaveorenterevents.