Parse Server LiveQuery Protected Fields Bypass Vulnerability

A vulnerability in Parse Server's LiveQuery feature allows attackers to infer values of protected fields without direct access. This issue exists in versions 9.0.0 prior to 9.6.0-alpha.9 and in versions prior to 8.6.35. The vulnerability arises when LiveQuery subscriptions include a WHERE clause referencing protected fields, either directly or through dot notation or regular expressions. This creates a boolean oracle, leaking protected data from any class with LiveQuery enabled and protected fields configured in Class-Level Permissions.

Impact

Exploitation of this vulnerability allows for unauthorized access to protected field values, creating a boolean oracle that leaks sensitive information.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.9 or 8.6.35, where this vulnerability has been patched. Alternatively, LiveQuery can be disabled for classes using protected fields, or protected fields can be removed from classes that require LiveQuery.