Parse Server LiveQuery Protected-Field Guard Bypass Vulnerability

A vulnerability exists in Parse Server versions prior to 8.6.70 and 9.7.0-alpha.18, allowing authenticated users with find class-level permission to bypass the protectedFields class-level permission setting on LiveQuery subscriptions. This is achieved by sending a subscription with logical operator values as array-like objects instead of arrays, which bypasses the protected-field guard. The vulnerability allows attackers to infer matches on protected fields through subscription event responses.

Impact

Exploitation of this vulnerability allows for unauthorized access to protected fields in LiveQuery subscriptions, potentially leading to exposure of sensitive data.

Reproduction

To reproduce this vulnerability, an authenticated user with find class-level permission can send a LiveQuery subscription that includes the '$or', '$and', or '$nor' operators. Instead of using an array, the subscription can be crafted to include a plain object with numeric keys and a length property, which will be accepted as an array-like object. This manipulation bypasses the protected-field guard, allowing the subscription to access protected fields.

Remediation

Users can upgrade to Parse Server versions 8.6.70 or 9.7.0-alpha.18, where this vulnerability has been patched.