Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In affected versions parse Server LiveQuery does not remove protected fields in classes, passing them to the client. The LiveQueryController now removes protected fields from the client response. Users are advised to upgrade. Users unable t upgrade should use `Parse.Cloud.afterLiveQueryEvent` to manually remove protected fields.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.
| Link | Tags |
|---|---|
| https://github.com/parse-community/parse-server/security/advisories/GHSA-crrq-vr9j-fxxh | third party advisory |
| https://github.com/parse-community/parse-server/issues/8073 | issue tracking release notes patch third party advisory |
| https://github.com/parse-community/parse-server/pull/8074 | release notes third party advisory patch |
| https://github.com/parse-community/parse-server/commit/309f64ced8700321df056fb3cc97f15007a00df1 | third party advisory patch |
| https://github.com/parse-community/parse-server/commit/9fd4516cde5c742f9f29dd05468b4a43a85639a6 | third party advisory patch |
| https://github.com/parse-community/parse-server/releases/tag/5.2.4 | third party advisory release notes |