Parse Server Session Field Immutability Bypass Vulnerability

A vulnerability exists in Parse Server versions prior to 8.6.69 and 9.7.0-alpha.14, allowing authenticated users to bypass the immutability guard on session fields such as 'expiresAt' and 'createdWith'. By sending a null value in a PUT request to the session update endpoint, users can nullify the session expiry, making the session valid indefinitely and circumventing established session length policies.

Impact

Exploiting this vulnerability allows for indefinite session validity by nullifying the 'expiresAt' field, thereby bypassing session length policies. Additionally, nullifying the 'createdWith' field can lead to inconsistencies in session management.

Reproduction

To reproduce this vulnerability, an authenticated user can send a PUT request to the session update endpoint with a null value for the 'expiresAt' or 'createdWith' fields. This can be done using the Parse REST API, including the necessary headers such as 'X-Parse-Application-Id', 'X-Parse-REST-API-Key', and 'X-Parse-Session-Token'. After the update, the session can be verified to confirm that the expiry has been successfully nullified, allowing the session to remain valid indefinitely.

Remediation

Users can update to Parse Server versions 8.6.69 or 9.7.0-alpha.14, where this vulnerability has been patched. The patch involves replacing the truthiness-based guard checks with key-presence checks that reject any value for protected session fields, including null.