Parse Server Session Field Overwrite Vulnerability

A vulnerability exists in Parse Server versions 9.0.0 prior to 9.6.0-alpha.17 and 8.6.42 prior to 8.6.42, allowing authenticated users to overwrite server-generated session fields, including 'sessionToken', 'expiresAt', and 'createdWith', when creating a session object via 'POST /classes/_Session'. This exploitation can bypass the server's session expiration policy by setting an arbitrary far-future expiration date and allows for the insertion of a predictable session token value.

Impact

Exploitation of this vulnerability enables an authenticated user to manipulate session data, potentially leading to unauthorized session persistence and predictable session token values.

Remediation

Users can upgrade to Parse Server versions 9.6.0-alpha.17 or 8.6.42, where this vulnerability has been patched. Alternatively, a 'beforeSave' trigger can be added on the '_Session' class to validate and reject or strip any user-supplied values for 'sessionToken', 'expiresAt', and 'createdWith'.