Parse Server Protected Fields Leakage via LiveQuery afterEvent Trigger Vulnerability

A vulnerability in Parse Server versions 9.0.0 prior to 9.6.0-alpha.35 and in versions prior to 8.6.50 allows for the leakage of protected fields and authentication data to all subscribers of a class when a 'Parse.Cloud.afterLiveQueryEvent' trigger is registered. This issue arises because the LiveQuery server improperly handles sensitive data, sending unfiltered JSON copies to clients. As a result, users with the appropriate Class-Level Permissions can access protected information from other users, including personal details and OAuth tokens from third-party services.

Impact

Exploitation of this vulnerability results in the unauthorized disclosure of protected fields and 'authData' from users subscribed to the affected class via LiveQuery. This includes sensitive personal information and OAuth tokens from third-party authentication providers.

Remediation

To address this vulnerability, users can upgrade to Parse Server versions 9.6.0-alpha.35 or 8.6.50, where the issue has been patched. Alternatively, as a temporary workaround, users can remove all 'Parse.Cloud.afterLiveQueryEvent' trigger registrations, which will prevent the leakage of protected fields.