Parse Server LiveQuery Shared Mutable State Vulnerability Leading to Protected Field Leaks

A vulnerability exists in Parse Server versions prior to 8.6.65 and 9.7.0-alpha.9, where LiveQuery event handlers process multiple subscribers concurrently using shared mutable objects. This can lead to leaks of protected fields and authentication data. When one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object, causing unintended data exposure or incomplete object delivery. Additionally, modifications from an afterEvent Cloud Code trigger can corrupt the shared state across concurrent subscribers. This issue affects any Parse Server deployment using LiveQuery with protected fields or afterEvent triggers, when multiple clients subscribe to the same class.

Impact

The vulnerability allows for unauthorized access to protected fields and authentication data, potentially leading to data leaks or incomplete object deliveries in LiveQuery subscriptions.

Reproduction

To reproduce this vulnerability, subscribe multiple LiveQuery clients to the same class with protected fields. One client can modify an object to remove a protected field, and another client may receive the altered object, exposing sensitive data that should remain hidden. Similarly, registering an afterEvent trigger can cause one client's modifications to leak to another through the shared mutable state.

Remediation

Users can upgrade to Parse Server versions 8.6.65 or 9.7.0-alpha.9, where this vulnerability has been patched.