Parse Server LiveQuery Class-Level Permission Bypass Vulnerability

A vulnerability in Parse Server's LiveQuery WebSocket interface allows authenticated users to bypass Class-Level Permission (CLP) pointer restrictions. This issue is present in Parse Server versions 9.0.0 prior to 9.6.0-alpha.42 and versions prior to 8.6.53. The vulnerability arises because the LiveQuery interface does not properly enforce pointer permissions, allowing unauthorized access to sensitive data that is otherwise protected via the REST API. Exploitation involves subscribing to LiveQuery events for classes with pointer permissions, regardless of whether the pointer fields relate to the subscribing user.

Impact

The vulnerability allows unauthorized access to sensitive data through LiveQuery, bypassing established read permissions and potentially exposing information that should be restricted.

Reproduction

To reproduce this vulnerability, an authenticated user can subscribe to LiveQuery events for classes that have pointer permissions. The user will receive real-time updates for all objects in those classes, regardless of whether the pointer fields on the objects point to them. This can be done by creating a LiveQuery subscription with a session token that does not have the right to access the pointer-protected data.

Remediation

Users can update to Parse Server versions 9.6.0-alpha.42 or 8.6.53, where this vulnerability has been patched. The LiveQuery server now correctly enforces pointer permissions by checking if any configured pointer field on an object points to the subscribing user, and silently skips events for objects that do not match.