Parse Server Session Field Overwrite Vulnerability Allowing Permanent Sessions

A vulnerability in Parse Server's session management has been identified, allowing authenticated users to overwrite server-generated session fields, such as 'expiresAt' and 'createdWith', when updating their own session via the REST API. This issue is present in Parse Server versions prior to 8.6.57 and 9.6.0-alpha.48. The vulnerability allows users to bypass the server's session lifetime policy, effectively making their sessions permanent.

Impact

Exploitation of this vulnerability allows authenticated users to create permanent sessions by overwriting the 'expiresAt' field, bypassing the server's session lifetime policy. Additionally, the 'createdWith' field can be manipulated, potentially leading to unauthorized actions if the application relies on this field for session management.

Reproduction

To reproduce this vulnerability, an authenticated user can send a PUT request to the '/sessions/me' endpoint with a session token. The request must include the 'expiresAt' field, set to a date in the far future, and/or the 'createdWith' field, with a value indicating an unauthorized action or provider. The server will accept the request, allowing the session fields to be overwritten.

Remediation

Users can upgrade to Parse Server versions 8.6.57 or 9.6.0-alpha.48, where this vulnerability has been patched.