Volerion logoVolerion
Volerion logoVolerion

Parse Server Session Token Exfiltration Vulnerability via RedirectClassNameForKey Query Parameter

Vulnerability

A vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. This issue is present in Parse Server versions 9.0.0 prior to 9.5.2-alpha.8 and versions prior to 8.6.21. The exfiltrated session tokens can be used to take over user accounts. The vulnerability arises when an attacker can create or update an object with a new relation field, depending on the Class-Level Permissions of at least one class.

Impact

Exploitation of this vulnerability allows for session token exfiltration, which can be used to take over user accounts.

Remediation

Users can update to Parse Server versions 9.5.2-alpha.8 or 8.6.21, where this vulnerability has been patched. Additionally, as a workaround, restrictive Class-Level Permissions can be set to prevent clients from creating new fields on classes, specifically by disabling 'addField' for public access and unauthenticated users.

Added: Mar 10, 2026, 9:23 PM
Updated: Mar 10, 2026, 9:23 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
5.0
exploitability
5.4
remediation
7.9
relevance
3.7
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.